Home / Vulnerability Intelligence / CVE-2026-27598

CVE-2026-27598 - Vulnerability Analysis

MediumCVSS: 6.5

Last Updated: February 25, 2026

Dagu - Command Injection

Published: February 25, 2026Updated: February 25, 2026PoC AvailableRemote Exploitable

Overview

Dagu <= 1.16.7 contains a command injection caused by lack of DAG name validation in CreateNewDAG API, letting authenticated users with DAG write permissions execute arbitrary code via crafted YAML files, exploit requires DAG write permissions.

Severity & Score

Severity: Medium

CVSS Score: 6.5

Impact

Authenticated users with DAG write permissions can execute arbitrary code remotely, potentially leading to full system compromise.

Mitigation

Update to a version including commit e2ed589105d79273e4e6ac8eb31525f765bb3ce4 or later.

References

https://github.com/dagu-org/dagu/commit/e2ed589105d79273e4e6ac8eb31525f765bb3ce4
https://github.com/dagu-org/dagu/security/advisories/GHSA-6v48-fcq6-ff23

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-27598
Severity: Medium
CVSS Score: 6.5
Type: command_injection
Status: confirmed

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N