CVE-2026-48695

Name of the Vulnerable Software and Affected Versions FastNetMon Community Edition versions prior to 1.2.10

Description An OS command injection issue exists in the MikroTik router integration plugin. The log() function in src/mikrotik plugin/fastnetmon mikrotik.php constructs shell commands by concatenating the $msg parameter directly into exec() calls. Because the $msg variable contains unsanitized data from command-line arguments, an attacker capable of influencing argv[] values can inject and execute arbitrary shell commands.

Recommendations Update FastNetMon Community Edition to version 1.2.10 or later. Replace the exec() function with file put contents() or implement escapeshellarg() to sanitize the $msg parameter.