CVE-2026-36365 Overview
CVE-2026-36365 is a command injection vulnerability in Lymphatus caesium-image-compressor, an open-source image compression utility. The flaw resides in the shutdownMachine and putMachineToSleep functions implemented in PostCompressionActions.cpp. All versions up to and including commit 02da2c6 are affected. A local attacker with low privileges can leverage these post-compression action handlers to execute arbitrary operating system commands in the context of the running application. The vulnerability is tracked under CWE-77: Improper Neutralization of Special Elements used in a Command.
Critical Impact
A local, authenticated attacker can achieve arbitrary code execution with full impact on confidentiality, integrity, and availability of the host system.
Affected Products
- Lymphatus caesium-image-compressor (all versions through commit 02da2c6)
- Source file: src/utils/PostCompressionActions.cpp
- Functions: shutdownMachine and putMachineToSleep
Discovery Timeline
- 2026-05-04 - CVE-2026-36365 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-36365
Vulnerability Analysis
The caesium-image-compressor application offers post-compression actions that allow users to shut down or sleep the machine after a batch operation completes. The shutdownMachine and putMachineToSleep routines defined in PostCompressionActions.cpp construct operating system commands and invoke a shell to execute them. Because user-influenced or environment-derived data flows into the command string without proper neutralization of shell metacharacters, an attacker who can influence those inputs can append or substitute arbitrary commands.
The flaw aligns with CWE-77: Improper Neutralization of Special Elements used in a Command. Exploitation runs in the context of the user executing the application, providing arbitrary code execution on the local host. Refer to the GitHub advisory for CVE-2026-36365 for the full technical description.
Root Cause
The root cause is the use of a shell-interpreted command execution API to perform privileged power-management actions. The two functions assemble command strings and pass them to a shell rather than calling platform APIs directly or using argument-array execution that bypasses shell parsing. This permits shell metacharacters such as ;, &&, |, and backticks to break out of the intended command and chain attacker-controlled instructions.
Attack Vector
A local attacker with the ability to influence the command path or arguments consumed by shutdownMachine or putMachineToSleep triggers the vulnerable code path through the application's post-compression action workflow. When the user enables a post-compression action and the affected function executes, the injected payload runs with the privileges of the caesium-image-compressor process. The upstream fix is tracked in pull request #376 and the vulnerable code is visible in PostCompressionActions.cpp.
No verified public exploit code is available. The vulnerability is described in prose only; consult the advisory for proof-of-concept details.
Detection Methods for CVE-2026-36365
Indicators of Compromise
- Unexpected child processes spawned by the caesium-image-compressor binary, particularly shells such as cmd.exe, powershell.exe, /bin/sh, or /bin/bash.
- Execution of system power utilities (shutdown, systemctl suspend, pmset, rundll32 powrprof.dll) chained with additional commands.
- New files written to user-writable directories immediately after a batch image compression run completes.
Detection Strategies
- Hunt for caesium-image-compressor process trees that include shell interpreters or command chaining operators in their command lines.
- Alert on power-management commands invoked with concatenated payloads that include ;, &&, |, or $().
- Correlate post-compression action telemetry with subsequent network connections, persistence creations, or credential-access attempts on the same host.
Monitoring Recommendations
- Enable command-line logging on Windows endpoints (Event ID 4688 with command-line auditing) and execve auditing on Linux to capture full process arguments.
- Baseline normal behavior of caesium-image-compressor and flag deviations such as outbound network activity or filesystem changes outside the configured output directory.
- Forward endpoint process telemetry to a centralized analytics platform to support cross-host correlation and retrospective hunts.
How to Mitigate CVE-2026-36365
Immediate Actions Required
- Disable the shutdown and sleep post-compression actions in caesium-image-compressor settings until a patched build is deployed.
- Restrict installation of caesium-image-compressor to least-privilege user accounts; do not run the application with administrative rights.
- Inventory hosts running caesium-image-compressor and prioritize patching for shared or multi-user systems.
Patch Information
The upstream project maintains the fix discussion in pull request #376 of the caesium-image-compressor repository. Update to the post-fix commit once it is merged and a release is tagged. Verify the deployed binary is built from a commit later than 02da2c6 and that PostCompressionActions.cpp no longer passes unsanitized strings to a shell.
Workarounds
- Avoid enabling the shutdown or sleep options in the post-compression action menu.
- Apply application-control or allowlisting policies that block caesium-image-compressor from spawning shell interpreters and power-management utilities.
- On multi-user systems, restrict execution of the application to trusted accounts using filesystem ACLs or AppLocker-equivalent controls.
# Configuration example: block caesium-image-compressor from spawning shells (Linux AppArmor snippet)
profile caesium-image-compressor /usr/local/bin/caesium-image-compressor {
deny /bin/sh x,
deny /bin/bash x,
deny /usr/bin/systemctl x,
deny /sbin/shutdown x,
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
