Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
qinming99 dst-admin: Unauthorized Code Execution via File Restores
CVE-2026-2956
Summary
A security issue in qinming99 dst-admin version 1.5.0 or earlier allows attackers to run unauthorized system commands when restoring a file. This can occur when a malicious file name is used in the restore process. Update to a fixed version of qinming99 dst-admin to prevent potential attacks.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| dst-admin_project | dst-admin | <= 1.5.0 | – |
Original title
A security flaw has been discovered in qinming99 dst-admin up to 1.5.0. This affects the function revertBackup of the file /home/restore. The manipulation of the argument Name results in command in...
Original description
A security flaw has been discovered in qinming99 dst-admin up to 1.5.0. This affects the function revertBackup of the file /home/restore. The manipulation of the argument Name results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0
6.5
nvd CVSS3.1
8.8
nvd CVSS4.0
5.3
Vulnerability type
CWE-74
Injection
CWE-77
Command Injection
- https://fx4tqqfvdw4.feishu.cn/docx/ObYgdtoweowo8Vx4dmuckqC7nBe?from=from_copylin... Exploit Third Party Advisory
- https://vuldb.com/?ctiid.347323 Permissions Required VDB Entry
- https://vuldb.com/?id.347323 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.754508 Third Party Advisory VDB Entry
Published: 22 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026