CVE-2026-6281
published 2026-05-13CVE-2026-6281: A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.45%
35.6th percentile
A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on the device.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lenovo | home_storage_hub_t20 | < 5.5.8.t20.1 | 5.5.8.t20.1 |
| lenovo | home_storage_hub_x20 | < 5.4.4.x20.1 | 5.4.4.x20.1 |
| lenovo | personal_cloud_a1 | <= 5.4.2.a1.3 | — |
| lenovo | personal_cloud_a1s | <= 5.5.6.a1s | — |
| lenovo | personal_cloud_t1 | <= 5.4.0.t1.6 | — |
| lenovo | personal_cloud_t2 | <= 5.4.5.t2.2 | — |
| lenovo | personal_cloud_t2pro | < 5.4.8.t2pro.2 | 5.4.8.t2pro.2 |
| lenovo | personal_cloud_t2s | < 5.5.6.t2s.3 | 5.5.6.t2s.3 |
| lenovo | personal_cloud_x1 | <= 5.4.7.x1.1 | — |
| lenovo | personal_cloud_x1s | < 5.4.8.x1s.2 | 5.4.8.x1s.2 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Lenovo Personal Cloud X1 prior 5.5.6.t2s.3 os command injection (EUVD-2026-30040)
vuldb·2026-05-13·CVSS 8.7
CVE-2026-6281 [HIGH] Lenovo Personal Cloud X1 prior 5.5.6.t2s.3 os command injection (EUVD-2026-30040)
A vulnerability has been found in Lenovo Personal Cloud T2s, Personal Cloud T2Pro, Personal Cloud X1s, Home Storage Hub T20, Home Storage Hub X20, Personal Cloud T1, Personal Cloud A1, Personal Cloud A1s, Personal Cloud T2 and Personal Cloud X1 and classified as critical. This impacts an unknown function. This manipulation causes os command injection.
This vulnerability is registered as CVE-2026-6281. Remote exploitation of the attack is possible. No exploit is available.
The affected component should be upgraded.
GHSA
GHSA-q5wc-3rhr-ppvw: A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network
ghsa_unreviewed·2026-05-13
CVE-2026-6281 [HIGH] CWE-78 GHSA-q5wc-3rhr-ppvw: A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network
A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on the device.
No detection rules found.
No public exploits indexed.
2026-05-13
Published