CVE-2026-2629

HIGH 7.3

jishi node-sonos-http-api TTS Provider mac-os.js Promise os command injection

CVSS Score

7.3

EPSS Score

0.0%

EPSS Percentile

0th

A weakness has been identified in jishi node-sonos-http-api up to 3776f0ee2261c924c7b7204de121a38100a08ca7. Affected is the function Promise of the file lib/tts-providers/mac-os.js of the component TTS Provider. This manipulation of the argument phrase causes os command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

CWE	CWE-78 CWE-77
Vendor	jishi
Product	node-sonos-http-api
Published	Feb 17, 2026
Last Updated	Feb 23, 2026

Stay Ahead of the Next One

Get instant alerts for jishi node-sonos-http-api

Be the first to know when new high vulnerabilities affecting jishi node-sonos-http-api are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

jishi / node-sonos-http-api

3776f0ee2261c924c7b7204de121a38100a08ca7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/?id.346280 vuldb.com: https://vuldb.com/?ctiid.346280 vuldb.com: https://vuldb.com/?submit.752762 github.com: https://github.com/jishi/node-sonos-http-api/issues/915 github.com: https://github.com/XavLimSG/Vulnerability-Research/blob/main/CVE-2026-2629/CVE-2026-2629.md github.com: https://github.com/jishi/node-sonos-http-api/

Credits

🔍 XavLimSG (VulDB User) XavLimSG (VulDB User)