Skip to main content

JD Cloud JDCOS CVE-2026-7705

LOW
Command Injection (CWE-77)
2026-05-03 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
May 03, 2026 - 23:22 NVD
MEDIUM LOW
CVSS changed
May 03, 2026 - 23:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
PoC Detected
May 03, 2026 - 23:16 vuln.today
Public exploit code
Analysis Generated
May 03, 2026 - 23:00 vuln.today
Analysis Generated
May 03, 2026 - 22:45 vuln.today
CVE Published
May 03, 2026 - 22:00 nvd
LOW 2.1

DescriptionCVE.org

A flaw has been found in JD Cloud JDCOS 4.5.1.r4518. This vulnerability affects the function set_iptv_info of the file /jdcap of the component Service Interface. Executing a manipulation of the argument vid can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Command injection in JD Cloud JDCOS 4.5.1.r4518 allows authenticated remote attackers to execute arbitrary system commands via manipulation of the vid parameter in the set_iptv_info function of the /jdcap service interface. The vulnerability has a CVSS score of 6.3 (Medium) with low attack complexity and is actively weaponized with publicly available exploit code. The vendor has not responded to early disclosure notifications.

Technical ContextAI

JDCOS exposes a service interface endpoint at /jdcap that includes a set_iptv_info function vulnerable to command injection (CWE-77). The vid parameter passed to this function is not properly sanitized before being used in system command construction, allowing an authenticated attacker to inject arbitrary shell metacharacters and commands. The vulnerability exists in version 4.5.1.r4518 as indicated by the CPE cpe:2.3:a:jd_cloud:jdcos:*:*:*:*:*:*:*:*. The attack vector is network-accessible and requires only low privileges (PR:L in CVSS vector), meaning any authenticated user can trigger the injection.

RemediationAI

No vendor-released patch identified at time of analysis - the vendor has not responded to early disclosure. Immediate mitigation options include: (1) Restrict network access to the /jdcap endpoint using a web application firewall or reverse proxy, blocking non-authorized source IPs; (2) Require additional authentication layers (e.g., VPN, IP whitelisting) before users can access JDCOS authenticated endpoints; (3) Disable the set_iptv_info function or IPTV service entirely if not operationally required; (4) Monitor for suspicious input patterns in the vid parameter (e.g., shell metacharacters: |, ;, `, $, &, &&, ||) and block or alert on detection; (5) Run JDCOS with minimal necessary privileges (dedicated service account, no root) to limit post-exploitation impact. Contact JD Cloud directly for patch status, and consider evaluating alternative solutions if the vendor cannot provide a timeline for remediation. Organizations unable to implement network controls should assume this vulnerability is actively exploitable and prioritize patching or replacement.

Share

CVE-2026-7705 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy