Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Smanga 3.2.7: Unauthenticated Server Takeover via Malicious Media ID
CVE-2025-70831
Summary
An attacker can inject commands on your server by manipulating a specific input field in Smanga 3.2.7. This could allow an attacker to access and control your server, which could lead to data theft, disruption, or other malicious activities. Update to the latest version of Smanga to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| lkw199711 | smanga | 3.2.7 | – |
Original title
A Remote Code Execution (RCE) vulnerability was found in Smanga 3.2.7 in the /php/path/rescan.php interface. The application fails to properly sanitize user-supplied input in the mediaId parameter ...
Original description
A Remote Code Execution (RCE) vulnerability was found in Smanga 3.2.7 in the /php/path/rescan.php interface. The application fails to properly sanitize user-supplied input in the mediaId parameter before using it in a system shell command. This allows an unauthenticated attacker to inject arbitrary operating system commands, leading to complete server compromise.
nvd CVSS3.1
9.8
Vulnerability type
CWE-78
OS Command Injection
- https://github.com/LX-66-LX/cve/issues/5 Broken Link
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026