CVE-2026-2560 identifies a remote OS command injection vulnerability in the kalcaddle kodbox product, version 1.64.05, within the Media File Preview Plugin component. The vulnerability is located in the run function of the file plugins/fileThumb/lib/VideoResize.class.php, where the 'localFile' parameter is improperly sanitized. This flaw allows an attacker to inject arbitrary operating system commands by manipulating the 'localFile' argument, which the application executes without adequate validation or escaping. The attack vector is network-based and does not require authentication or user interaction, increasing the risk of exploitation. The vendor was notified early but has not issued a patch or response, and no official remediation is currently available. The CVSS 4.0 vector indicates low attack complexity and no privileges required, but the impact on confidentiality, integrity, and availability is limited to low levels, resulting in an overall medium severity rating. While no known exploits are reported in the wild, public disclosure of the exploit code increases the likelihood of future attacks. The vulnerability primarily affects organizations using kodbox for media file management and preview, especially where the Media File Preview Plugin is enabled. Attackers could leverage this vulnerability to execute arbitrary commands on the host system, potentially leading to data breaches, system compromise, or service disruption.

The potential impact of CVE-2026-2560 includes unauthorized remote command execution on systems running the vulnerable kodbox version. This can lead to unauthorized access to sensitive files, data exfiltration, modification or deletion of data, and disruption of service availability. Since the vulnerability allows OS command injection, attackers could escalate privileges, install malware, or pivot within the network. The lack of authentication requirement and ease of remote exploitation increase the risk of automated attacks and worm-like propagation in exposed environments. Organizations relying on kodbox for file sharing and media preview may face operational disruptions and reputational damage if exploited. The medium CVSS score reflects moderate risk, but the absence of vendor patches and public exploit availability heighten urgency. The impact is particularly critical for environments where kodbox servers are internet-facing or have weak network segmentation.

1. Immediately restrict external network access to the kodbox server, especially to the Media File Preview Plugin functionality, using firewalls or network segmentation. 2. Disable or remove the Media File Preview Plugin if it is not essential to operations to eliminate the attack surface. 3. Implement strict input validation and sanitization on the 'localFile' parameter to prevent command injection, if modifying source code is feasible. 4. Monitor system logs and network traffic for unusual command execution patterns or unexpected process spawning related to the kodbox service. 5. Employ application-layer firewalls or intrusion prevention systems (IPS) with signatures targeting command injection attempts. 6. Maintain regular backups of critical data to enable recovery in case of compromise. 7. Engage with the vendor or community for updates or unofficial patches and apply them promptly once available. 8. Consider deploying web application firewalls (WAF) with custom rules to detect and block injection payloads targeting this vulnerability. 9. Conduct security audits and penetration testing focused on kodbox deployments to identify and remediate similar weaknesses.