What is CVE-2026-1192?

CVE-2026-1192 is a medium-severity command injection vulnerability in Tosei Online Store Management System. Remote exploitation could lead to unauthorized command execution. Immediate patching is recommended to mitigate risks.

What is the severity of CVE-2026-1192?

CVE-2026-1192 has a severity rating of MEDIUM with a CVSS base score of 5.5.

CVE-2026-1192 | Tosei-Corporation

CVE-2026-1192 is a command injection vulnerability discovered in the Tosei Online Store Management System version 1.01. The vulnerability arises from an unknown function within the file /cgi-bin/imode_alldata.php, where manipulation of the DevId argument can lead to remote command execution. This vulnerability has been publicly disclosed, and although the vendor was notified early, no response was received.

The severity of this vulnerability is classified as medium, with a CVSS score of 5.5. This score indicates that while the vulnerability poses a risk, the complexity of exploiting it is relatively low, requiring no special privileges or user interaction. As such, organizations that utilize this system should prioritize remediation efforts.

Risk to organizations includes potential unauthorized command execution, which could compromise the confidentiality, integrity, and availability of the affected system. Given the nature of the vulnerability and its ease of exploitation, it is crucial for organizations to take immediate action to patch the affected system.

Organizations should prioritize patching immediately to mitigate the associated risks. Regular vulnerability assessments and updates can help ensure that such issues are addressed promptly.

Vulnerability Details

The official description of CVE-2026-1192 indicates that the vulnerability affects the Tosei Online Store Management System version 1.01. Specifically, the vulnerability is present in the file /cgi-bin/imode_alldata.php, where the DevId argument can be manipulated to execute arbitrary commands.

This vulnerability has a CVSS score of 5.5, which categorizes it as medium severity. The scoring reflects a network attack vector, low attack complexity, and no privileges or user interaction required for exploitation. The vulnerability can lead to a low impact on confidentiality, integrity, and availability.

The CWE classifications associated with this vulnerability are CWE-74 (Injection) and CWE-77 (Command Injection), which highlight the nature of the vulnerability and its potential impact.

Technical Analysis

The root cause of this vulnerability is the inadequate validation of user-supplied input, specifically the DevId argument in the affected script. Attackers may leverage this weakness to inject arbitrary commands that the server will execute with the privileges of the application.

The attack vector is network-based, meaning that an adversary can exploit this vulnerability remotely without physical access to the system. The attack complexity is low, as no special conditions or privileges are needed to carry out the attack. There is no user interaction required, allowing for automated exploitation.

In terms of impact, the vulnerability can lead to low confidentiality, integrity, and availability effects, as unauthorized commands can potentially alter data, leak sensitive information, or disrupt services.

Risk & Impact Analysis

The real-world deployment risk associated with CVE-2026-1192 is significant, given that exploitation could lead to unauthorized command execution on affected systems. This raises serious concerns about the overall security posture of organizations using the Tosei Online Store Management System.

The urgency of addressing this vulnerability is underscored by its medium severity level. Organizations should assess their exposure to this vulnerability and prioritize patching as part of their security response. The potential blast radius includes any system accessible via the vulnerable component, which could be a considerable number of users and customers.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The vulnerability affects Tosei Online Store Management System version 1.01. Organizations should consider all versions prior to vendor patch as affected.

Mitigation & Remediation

To mitigate the risks associated with CVE-2026-1192, organizations should apply the following recommendations:

1. **Patch the system:** Ensure that Tosei Online Store Management System is updated to the latest version that addresses this vulnerability.

2. **Implement access controls:** Restrict access to the affected file and validate inputs to prevent unauthorized command execution.

3. **Monitor for suspicious activity:** Establish logging and monitoring mechanisms to detect potential exploitation attempts.

4. **Conduct security assessments:** Regularly perform security assessments to identify and remediate vulnerabilities in the system.

By proactively addressing identified vulnerabilities and enhancing security measures, organizations can better protect their systems against potential threats.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-1192: Medium Vulnerability in Tosei Corporation Online Store Management System