CVE-2026-58479 PUBLISHED

Sustainable Irrigation Platform 5.2.16 RCE via cli_control Plugin Command Injection

Assigner: VulnCheck
Reserved: 30.06.2026 Published: 14.07.2026 Updated: 14.07.2026

Sustainable Irrigation Platform (SIP) through version 5.2.16 contains a command injection vulnerability in the optional cli_control plugin that allows unauthenticated or cross-site request forgery attackers to execute arbitrary operating-system commands by storing a malicious payload via the plugin's HTTP endpoint. Attackers can trigger execution by activating the associated irrigation station, exploiting the absence of passphrase protection or the default passphrase 'opendoor', to achieve arbitrary command execution on the underlying host.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.2

Product Status

Vendor Dan-in-CA
Product SIP
Versions Default: affected
  • affected from 0 to 5.2.16 (incl.)

Credits

  • Gjoko Krstic of Zero Science Lab finder

References

Problem Types

  • Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE