← back
CVE-2026-2544

yued-fe LuLu UI run.js child_process.exec os command injection

CVSS 6.9 MEDIUMEPSS 2.0%CWE-77CWE-78
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.9EPSS 2.0%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
16 Feb 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A security flaw has been discovered in yued-fe LuLu UI up to 3.0.0. This issue affects the function child_process.exec of the file run.js. The manipulation results in os command injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X
Affected products
yued-fe · LuLu UI

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →