Review
abhishek-ram
CVE published 2026-07-17
CVE-2026-42168
CVE-2026-42168 is an OS command injection vulnerability in django-pyas2 through version 1.2.3. The vulnerability exists in the cmd_receive and cmd_send fields of the Partner model, which are passed directly to os.system() in pyas2/utils.py without sanitization. This allows an authenticated admin user to execute arbitrary commands on the server when an AS2 message is received or sent. The vulnerability has [truncated]