cbcvebase.
CVE-2016-15057
published 2026-01-26

CVE-2016-15057: ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum. This…

PriorityP184critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
3.73%
88.5th percentile
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum.

This issue affects Apache Continuum: all versions.

Attackers with access to the installations REST API can use this to invoke arbitrary commands on the server.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Affected

1 ranges
VendorProductVersion rangeFixed in
apache_software_foundationapache_continuum< **

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for unexpected or unauthorized calls to the Apache Continuum REST API, particularly those that may carry command injection payloads in parameters.
  • ·Apache Continuum is fully retired/unsupported; no patch will be issued. All versions are affected. Users should migrate away or strictly restrict access to trusted users only.
  • ·The vulnerability affects all versions of Apache Continuum (cpe:2.3:a:apache:continuum / org.apache.continuum:continuum). There is no fixed version available.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.