Home / Vulnerability Intelligence / CVE-2026-27598

CVE-2026-27598 - Vulnerability Analysis

MediumCVSS: 6.5

Last Updated: February 25, 2026

Dagu - Command Injection

Published: February 25, 2026Updated: February 25, 2026PoC AvailableRemote Exploitable

Overview

Dagu <= 1.16.7 contains a command injection caused by lack of DAG name validation in CreateNewDAG API, letting authenticated users with DAG write permissions execute arbitrary code via crafted YAML files, exploit requires DAG write permissions.

Severity & Score

Severity: Medium

CVSS Score: 6.5

EPSS Score: 11.3%(Probability of exploitation in next 30 days)

Impact

Authenticated users with DAG write permissions can execute arbitrary code remotely, potentially leading to full system compromise.

Mitigation

Update to a version including commit e2ed589105d79273e4e6ac8eb31525f765bb3ce4 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 24, 2026

🟠 CVE-2026-33344 - High (8.1) Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE p... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33344/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-27598
Severity: Medium
CVSS Score: 6.5
Type: command_injection
Status: confirmed
EPSS: 11.3%
Social Posts: 1

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS Score

11.3%Probability of exploitation in the next 30 days