CVE-2026-2629

A weakness has been identified in jishi node-sonos-http-api up to 3776f0ee2261c924c7b7204de121a38100a08ca7. Affected is the function Promise of the file lib/tts-providers/mac-os.js of the component TTS Provider. This manipulation of the argument phrase causes os command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

CVSS v3 7.3 HIGH
CVSS v2.0 7.5 HIGH

7.3^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/XavLimSG/Vulnerability-Research/blob/main/CVE-2026-2629/CVE-2026-2629.md
https://github.com/jishi/node-sonos-http-api/
https://github.com/jishi/node-sonos-http-api/issues/915
https://vuldb.com/?ctiid.346280
https://vuldb.com/?id.346280
https://vuldb.com/?submit.752762

Configurations

No configuration.

History

20 Feb 2026, 08:17

Type	Values Removed	Values Added
References		() https://github.com/XavLimSG/Vulnerability-Research/blob/main/CVE-2026-2629/CVE-2026-2629.md -

18 Feb 2026, 17:51

Type	Values Removed	Values Added
Summary		(es) Se ha identificado una debilidad en jishi node-sonos-http-api hasta 3776f0ee2261c924c7b7204de121a38100a08ca7. Afecta a la función Promise del archivo lib/tts-providers/mac-os.js del componente TTS Provider. Esta manipulación del argumento phrase provoca inyección de comandos del sistema operativo. Es posible iniciar el ataque en remoto. El exploit ha sido puesto a disposición del público y podría ser utilizado para ataques. Este producto realiza lanzamientos continuos para proporcionar una entrega continua. Por lo tanto, no se dispone de detalles de versión para las versiones afectadas ni actualizadas. El proyecto fue informado pronto del problema a través de un informe de incidencias pero aún no ha respondido.

17 Feb 2026, 22:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-17 22:18

Updated : 2026-04-29 01:00

NVD link : CVE-2026-2629

Mitre link : CVE-2026-2629

CVE.ORG link : CVE-2026-2629

JSON object : View

Products Affected

No product.

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

7.3 /10