CVE-2003-1308

fvwm <2.5.10, <2.4.18 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2003-1308. PoCs published by auto22238.

AI-analyzed exploit summary This exploit demonstrates a command execution vulnerability in FVWM's fvwm-menu-directory component by creating a maliciously named file that triggers arbitrary command execution when processed by FVWM.

Description

CRLF injection vulnerability in fvwm-menu-directory for fvwm 2.5.x before 2.5.10 and 2.4.x before 2.4.18 allows local users to execute arbitrary commands via carriage returns in a filename.

Exploits (1)

exploitdb WORKING POC VERIFIED
by auto22238 · textlocallinux
https://www.exploit-db.com/exploits/23414

This exploit demonstrates a command execution vulnerability in FVWM's fvwm-menu-directory component by creating a maliciously named file that triggers arbitrary command execution when processed by FVWM.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: FVWM versions 2.14.17 and 2.5.8
No auth needed
Prerequisites: Write permissions to a directory monitored by FVWM's menu system
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Various Sources x_refsource_confirm
http://www.fvwm.org/news/
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/9161

Scores

EPSS 0.0132
EPSS Percentile 67.6%

Details

Status published
Products (1)
fvwm/fvwm < 2.4.17
Published Dec 31, 2003
Tracked Since Feb 18, 2026