A Command Injection in actionpower.py in Cobbler prior to v2.6.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the powersystem method in the xmlrpc API.