Common Weakness Enumeration

CWE-94

Allowed-with-Review

Improper Control of Generation of Code ('Code Injection')

Abstraction: Base · Status: Draft

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

8307 vulnerabilities reference this CWE, most recent first.

GHSA-VH9H-29PQ-R5M8

Vulnerability from github – Published: 2026-03-13 16:10 – Updated: 2026-03-16 17:06
VLAI
Summary
Locutus vulnerable to RCE via unsanitized input in create_function()
Details

Summary

The create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution.

This is distinct from CVE-2026-29091 (GHSA-fp25-p6mj-qqg6) which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x.

Root Cause

src/php/funchand/create_function.ts:17:

return new Function(...params, code)

Zero input validation on either parameter.

PoC

const { create_function } = require('locutus/php/funchand/create_function');
const rce = create_function('', 'return require("child_process").execSync("id").toString()');
console.log(rce());
// Output: uid=501(user) gid=20(staff) ...

Confirmed on locutus v3.0.11, Node.js v24.13.1.

Impact

Full RCE when an attacker can control either argument to create_function(). 597K weekly npm downloads.

Suggested Fix

Remove create_function or replace new Function() with a safe alternative. PHP itself deprecated create_function() in PHP 7.2 for the same reason.

Response

Thanks for the report.

We confirmed that php/funchand/create_function was still present through locutus@3.0.13 and that it exposed dynamic code execution via new Function(...).

While this was intended behavior, create_function() inherently needs to be unsafe in order for it to work, create_function() was deprecated in PHP 7.2 and removed in PHP 8.0. Given that Locutus' parity target today is 8.3, this function shouldn't have been in Locutus at all anymore.

We fixed this in locutus@3.0.14 by removing php/funchand/create_function entirely. That matches our PHP 8.3 parity target more closely: .

We also updated php/var/var_export so closures now export using the PHP 8-style \Closure::__set_state(array(...)) form instead of referencing the removed API.

Release: - npm: locutus@3.0.14 - GitHub release: https://github.com/locutusjs/locutus/releases/tag/v3.0.14

Credit to @ByamB4 for the report.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "locutus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32304"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T16:10:29Z",
    "nvd_published_at": "2026-03-13T19:54:41Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nThe `create_function(args, code)` function passes both parameters directly to the `Function` constructor without any sanitization, allowing arbitrary code execution.\n\nThis is distinct from CVE-2026-29091 (GHSA-fp25-p6mj-qqg6) which was `call_user_func_array` using `eval()` in v2.x. This finding affects `create_function` using `new Function()` in v3.x.\n\n## Root Cause\n\n`src/php/funchand/create_function.ts:17`:\n```typescript\nreturn new Function(...params, code)\n```\n\nZero input validation on either parameter.\n\n## PoC\n\n```javascript\nconst { create_function } = require(\u0027locutus/php/funchand/create_function\u0027);\nconst rce = create_function(\u0027\u0027, \u0027return require(\"child_process\").execSync(\"id\").toString()\u0027);\nconsole.log(rce());\n// Output: uid=501(user) gid=20(staff) ...\n```\n\nConfirmed on locutus v3.0.11, Node.js v24.13.1.\n\n## Impact\n\nFull RCE when an attacker can control either argument to `create_function()`. 597K weekly npm downloads.\n\n## Suggested Fix\n\nRemove `create_function` or replace `new Function()` with a safe alternative. PHP itself deprecated `create_function()` in PHP 7.2 for the same reason.\n\n## Response\n\nThanks for the report.\n\nWe confirmed that `php/funchand/create_function` was still present through `locutus@3.0.13` and that it exposed dynamic code execution via `new Function(...)`.\n\nWhile this was intended behavior, `create_function()` inherently needs to be unsafe in order for it to work, `create_function()` was deprecated in PHP 7.2 and removed in PHP 8.0. Given that Locutus\u0027 parity target today is 8.3, this function shouldn\u0027t have been in Locutus at all anymore.\n\nWe fixed this in `locutus@3.0.14` by removing `php/funchand/create_function` entirely. That matches our PHP 8.3 parity target more closely: . \n\nWe also updated `php/var/var_export` so closures now export using the PHP 8-style `\\Closure::__set_state(array(...))` form instead of referencing the removed API.\n\nRelease:\n- npm: `locutus@3.0.14`\n- GitHub release: https://github.com/locutusjs/locutus/releases/tag/v3.0.14\n\nCredit to @ByamB4 for the report.",
  "id": "GHSA-vh9h-29pq-r5m8",
  "modified": "2026-03-16T17:06:41Z",
  "published": "2026-03-13T16:10:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-vh9h-29pq-r5m8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32304"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/locutusjs/locutus"
    },
    {
      "type": "WEB",
      "url": "https://github.com/locutusjs/locutus/releases/tag/v3.0.14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Locutus vulnerable to RCE via unsanitized input in create_function()"
}

GHSA-VHC2-J742-M23Q

Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44
VLAI
Details

OpenType Font Parsing Remote Code Execution Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-26876"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-11T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "OpenType Font Parsing Remote Code Execution Vulnerability",
  "id": "GHSA-vhc2-j742-m23q",
  "modified": "2022-05-24T17:44:20Z",
  "published": "2022-05-24T17:44:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26876"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26876"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VHC9-GPCR-F248

Vulnerability from github – Published: 2024-03-08 03:31 – Updated: 2026-04-02 21:31
VLAI
Details

The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6.5, macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, tvOS 17.4. An app may be able to break out of its sandbox.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23278"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-08T02:15:49Z",
    "severity": "HIGH"
  },
  "details": "The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6.5, macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, tvOS 17.4. An app may be able to break out of its sandbox.",
  "id": "GHSA-vhc9-gpcr-f248",
  "modified": "2026-04-02T21:31:38Z",
  "published": "2024-03-08T03:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23278"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120880"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120881"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120882"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120886"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120893"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120895"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214081"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214082"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214084"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214085"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214086"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214088"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214081"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214082"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214084"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214085"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214086"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214088"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Mar/21"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Mar/22"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Mar/24"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Mar/25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VHGC-6RJX-F6VV

Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-09 09:31
VLAI
Details

Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack.

Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25077"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-08T13:16:36Z",
    "severity": "MODERATE"
  },
  "details": "Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack.\n\n\nUsers are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.",
  "id": "GHSA-vhgc-6rjx-f6vv",
  "modified": "2026-05-09T09:31:44Z",
  "published": "2026-05-08T15:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25077"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/09/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VHHG-3F5R-HV5G

Vulnerability from github – Published: 2022-05-01 23:27 – Updated: 2022-05-01 23:27
VLAI
Details

Unspecified vulnerability in the Load method in the IPersistStreamInit interface in the Active Template Library (ATL), as used in the Microsoft Video ActiveX control in msvidctl.dll in DirectShow, in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via unknown vectors that trigger memory corruption, aka "ATL Header Memcopy Vulnerability," a different vulnerability than CVE-2008-0015.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-0020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-07-07T23:30:00Z",
    "severity": "HIGH"
  },
  "details": "Unspecified vulnerability in the Load method in the IPersistStreamInit interface in the Active Template Library (ATL), as used in the Microsoft Video ActiveX control in msvidctl.dll in DirectShow, in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via unknown vectors that trigger memory corruption, aka \"ATL Header Memcopy Vulnerability,\" a different vulnerability than CVE-2008-0015.",
  "id": "GHSA-vhhg-3f5r-hv5g",
  "modified": "2022-05-01T23:27:16Z",
  "published": "2022-05-01T23:27:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-0020"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5850"
    },
    {
      "type": "WEB",
      "url": "http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspx"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/36187"
    },
    {
      "type": "WEB",
      "url": "http://www.iss.net/threats/329.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1022712"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA09-223A.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2009/2232"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VHHG-WFX6-RJW6

Vulnerability from github – Published: 2022-05-01 23:54 – Updated: 2022-05-01 23:54
VLAI
Details

Multiple PHP remote file inclusion vulnerabilities in Orlando CMS 0.6 allow remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[preloc] parameter to (1) modules/core/logger/init.php and (2) AJAX/newscat.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-2854"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-06-25T12:36:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple PHP remote file inclusion vulnerabilities in Orlando CMS 0.6 allow remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[preloc] parameter to (1) modules/core/logger/init.php and (2) AJAX/newscat.php.",
  "id": "GHSA-vhhg-wfx6-rjw6",
  "modified": "2022-05-01T23:54:14Z",
  "published": "2022-05-01T23:54:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-2854"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43181"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/5864"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/29820"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VHM5-27GH-M6XQ

Vulnerability from github – Published: 2026-03-26 21:31 – Updated: 2026-03-28 03:31
VLAI
Details

An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-30457"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-26T19:16:59Z",
    "severity": "CRITICAL"
  },
  "details": "An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code.",
  "id": "GHSA-vhm5-27gh-m6xq",
  "modified": "2026-03-28T03:31:25Z",
  "published": "2026-03-26T21:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30457"
    },
    {
      "type": "WEB",
      "url": "https://github.com/daylightstudio/FUEL-CMS/tree/master/fuel/modules/fuel/libraries/parser/dwoo"
    },
    {
      "type": "WEB",
      "url": "https://pentest-tools.com/PTT-2025-026-PHP-Code-Execution-Via-Dwoo-Escape.pdf"
    },
    {
      "type": "WEB",
      "url": "http://daylight.com"
    },
    {
      "type": "WEB",
      "url": "http://fuelcms.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VHM5-XV2F-RGJ2

Vulnerability from github – Published: 2025-09-22 18:30 – Updated: 2025-09-22 18:30
VLAI
Details

Creacast Creabox Manager 4.4.4 contains a critical Remote Code Execution vulnerability accessible via the edit.php endpoint. An authenticated attacker can inject arbitrary Lua code into the configuration, which is then executed on the server. This allows full system compromise, including reverse shell execution or arbitrary command execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-57439"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-22T18:15:45Z",
    "severity": "HIGH"
  },
  "details": "Creacast Creabox Manager 4.4.4 contains a critical Remote Code Execution vulnerability accessible via the edit.php endpoint. An authenticated attacker can inject arbitrary Lua code into the configuration, which is then executed on the server. This allows full system compromise, including reverse shell execution or arbitrary command execution.",
  "id": "GHSA-vhm5-xv2f-rgj2",
  "modified": "2025-09-22T18:30:37Z",
  "published": "2025-09-22T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57439"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-57439"
    },
    {
      "type": "WEB",
      "url": "http://www.creacast.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VHQ5-GJGJ-MC49

Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2025-04-11 04:04
VLAI
Details

The server in CA ARCserve Backup r12.5, r15, and r16 on Windows does not properly process RPC requests, which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-2971"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-10-20T10:41:00Z",
    "severity": "HIGH"
  },
  "details": "The server in CA ARCserve Backup r12.5, r15, and r16 on Windows does not properly process RPC requests, which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted request.",
  "id": "GHSA-vhq5-gjgj-mc49",
  "modified": "2025-04-11T04:04:13Z",
  "published": "2022-05-13T01:11:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2971"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79476"
    },
    {
      "type": "WEB",
      "url": "https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=%7BF9EEA31E-8089-423E-B746-41B5C9DD2AC1%7D"
    },
    {
      "type": "WEB",
      "url": "https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={F9EEA31E-8089-423E-B746-41B5C9DD2AC1}"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/86416"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/119543/Security-Notice-For-CA-ARCserve-Backup.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2013/Jan/86"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/51012"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VHR7-C3P5-QRF4

Vulnerability from github – Published: 2025-04-18 21:31 – Updated: 2025-04-21 06:30
VLAI
Details

An issue in Qimou CMS v.3.34.0 allows a remote attacker to execute arbitrary code via the upgrade.php component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-29058"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-18T21:15:43Z",
    "severity": "CRITICAL"
  },
  "details": "An issue in Qimou CMS v.3.34.0 allows a remote attacker to execute arbitrary code via the upgrade.php component.",
  "id": "GHSA-vhr7-c3p5-qrf4",
  "modified": "2025-04-21T06:30:31Z",
  "published": "2025-04-18T21:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29058"
    },
    {
      "type": "WEB",
      "url": "https://cdn.wjlin0.com/halo-img/74CMSv3.34.0%E5%AD%98%E5%9C%A8%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.zip"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Refactoring

Refactor your program so that you do not have to dynamically generate code.

Mitigation
Architecture and Design
  • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
  • Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Testing

Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Mitigation MIT-32
Operation

Strategy: Compilation or Build Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation MIT-32
Operation

Strategy: Environment Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation
Implementation

For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].

CAPEC-242: Code Injection

An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.