CVE-2006-6255

NukeAI 0.0.3 Beta - Unauthenticated Arbitrary PHP Code Execution via Filename and Moreinfo Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-6255. PoCs published by DeltahackingTEAM.

AI-analyzed exploit summary This exploit targets a remote code execution vulnerability in nukeai beta3 by injecting a PHP shell into the 'util.php' script via unsanitized input. It then allows command execution through the created shell file.

Description

Direct static code injection vulnerability in util.php in the NukeAI 0.0.3 Beta module for PHP-Nuke, aka Program E is an AIML chatterbot, allows remote attackers to upload and execute arbitrary PHP code via a filename with a .php extension in the filename parameter and code in the moreinfo parameter, which is saved to a filename under descriptions/, which is accessible via a direct request.

Exploits (1)

exploitdb WORKING POC VERIFIED
by DeltahackingTEAM · perlwebappsphp
https://www.exploit-db.com/exploits/2843

This exploit targets a remote code execution vulnerability in nukeai beta3 by injecting a PHP shell into the 'util.php' script via unsanitized input. It then allows command execution through the created shell file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: nukeai beta3
No auth needed
Prerequisites: Target running nukeai beta3 with accessible 'modules/NukeAI/util.php'
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/21284
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/44729
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/2843

Scores

EPSS 0.0223
EPSS Percentile 80.5%

Details

Status published
Products (1)
nukeai/nukeai 0.0.3_beta
Published Dec 04, 2006
Tracked Since Feb 18, 2026