FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the MikroTik router integration plugin. The log() function in src/mikrotikplugin/fastnetmonmikrotik.php (lines 107-108) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo date \"- {FASTNETMON] - " . $msg . " \" >> " . $FILELOGTMP). This is identical in pattern to the Juniper plugin vulnerability. The $msg variable contains unsanitized attack data from command-line arguments. An attacker who can influence argv[] values can inject arbitrary shell commands. The fix is to replace exec() with fileput_contents() or use escapeshellarg().
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48695.json",
"cna_assigner": "mitre"
}{
"cpe": "cpe:2.3:a:pavel-odintsov:fastnetmon:*:*:*:*:community:*:*:*",
"source": [
"DESCRIPTION",
"CPE_RANGE"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.2.9"
},
{
"last_affected": "1.2.9"
}
]
}