PatchSiren cyber security CVE debrief
CVE-2026-9302 546669204 CVE debrief
A code injection vulnerability exists in the vps-inventory-monitoring project (GitHub user 546669204) affecting versions up to commit 98c00b370668c96ae75e91c15548d9ea113652d9. The vulnerability resides in the `eval` function within `app/index/command/VpsTest.php` of the VpsTest Console component. An attacker with low privileges can remotely inject and execute arbitrary code by manipulating the `vf` argument. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges (PR:L in vector suggests low privileges required), and no user interaction needed, with partial impacts to confidentiality, integrity, and availability. The exploit has been publicly disclosed and is considered exploitable. The project uses a rolling release model without disclosed version information for affected or patched releases. The vendor was notified via GitHub issue #36 but had not responded as of the CVE publication date.
- Vendor
- 546669204
- Product
- vps-inventory-monitoring
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-23
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-23
- Advisory updated
- 2026-05-26
Who should care
Organizations running vps-inventory-monitoring with VpsTest Console enabled; security teams monitoring PHP applications using eval(); developers maintaining forked versions of this project
Technical summary
The VpsTest Console component in vps-inventory-monitoring uses `eval()` on user-controlled input via the `vf` argument without adequate sanitization. This allows authenticated attackers with low privileges to inject and execute arbitrary PHP code remotely. The vulnerability affects deployments up to commit 98c00b370668c96ae75e91c15548d9ea113652d9. Due to the rolling release model, specific version boundaries are not defined. The vendor has not responded to responsible disclosure as of CVE publication.
Defensive priority
medium
Recommended defensive actions
- Review and restrict access to VpsTest Console functionality in vps-inventory-monitoring deployments
- Audit application logs for suspicious vf parameter values in VpsTest.php requests
- Implement input validation and sanitization for the vf argument prior to eval execution
- Consider disabling or removing VpsTest Console component in production environments if not required
- Monitor vendor GitHub repository for security updates and response to issue #36
- Apply principle of least privilege to limit exposure of console commands to authenticated users only
Evidence notes
Vulnerability identified in commit 98c00b370668c96ae75e91c15548d9ea113652d9 of vps-inventory-monitoring repository. Issue reported via GitHub issue #36. Public exploit disclosure tracked via separate GitHub issue. Vuldb submission 811843 and entry 365249 provide additional context. NVD status marked as 'Deferred' as of 2026-05-26.
Official resources
2026-05-23