CVE-2026-2544
yued-fe LuLu UI run.js child_process.exec os command injection
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.9EPSS 2.0%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
16 Feb 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A security flaw has been discovered in yued-fe LuLu UI up to 3.0.0. This issue affects the function child_process.exec of the file run.js. The manipulation results in os command injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X
Affected products
yued-fe · LuLu UIWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →