Privileged Remote Shell Exec in Lenovo Personal Cloud Storage
CVE-2026-6281 Published on May 13, 2026
A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on the device.
Vulnerability Analysis
CVE-2026-6281 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2026-6281 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2026-6281
Want to know whenever a new CVE is published for Lenovo products? stack.watch will email you.
Affected Versions
Lenovo Personal Cloud T2s:- Before 5.5.6.t2s.3 is affected.
- Before 5.4.8.t2pro.2 is affected.
- Before 5.4.8.x1s.2 is affected.
- Before 5.5.8.t20.1 is affected.
- Before 5.4.4.x20.1 is affected.
- Before and including 5.4.0.t1.6 is affected.
- Before and including 5.4.2.a1.3 is affected.
- Before and including 5.5.6.a1s is affected.
- Before and including 5.4.5.t2.2 is affected.
- Before and including 5.4.7.x1.1 is affected.