WatchYourLAN Configuration Page Argument Injection RCE (CVE-2026-0774)

Critical Vulnerability Information Vulnerability Overview Name: (0Day) WatchYourLAN Configuration Page Argument Injection Remote Code Execution Vulnerability IDs: - ZDI-26-039 - ZDI-CAN-26708 CVE Identifier CVE ID: CVE-2026-0774 CVSS Score CVSS Score: 8.8 Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Scope Affected Vendor: WatchYourLAN Affected Product: WatchYourLAN Vulnerability Details Description: This vulnerability allows a network-adjacent attacker to execute arbitrary code on an affected WatchYourLAN installation. Exploitation does not require authentication. Specific Issue: A flaw exists in the handling of the parameter. The issue stems from insufficient validation of user-supplied strings prior to system call execution. Attackers can exploit this to execute code in the context of the service account. Additional Details Reporting Timeline: - June 19, 2025 - ZDI submitted the report to the vendor - July 4, 2025 - ZDI requested confirmation that the report was received - November 6, 2025 - ZDI inquired about updates - December 10, 2025 - ZDI notified the vendor that the case would be disclosed as a 0-day advisory Mitigation: Due to the nature of the vulnerability, the only effective mitigation is to restrict interaction with the product. Public Disclosure Timeline 2025-06-19: Vulnerability reported to vendor 2026-01-09: Coordinated public advisory release 2026-01-09: Advisory updated Reporter x.com/xnand_

Goal Reached Thanks to every supporter — we hit 100%!

WatchYourLAN Configuration Page Argument Injection RCE (CVE-2026-0774)