CVE-2008-6651

OxYProject OxYBox 0.85 - Remote Code Injection via edithistory.php oxymsg Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-6651. PoCs published by GoLd_M.

AI-analyzed exploit summary This exploit demonstrates a remote code execution vulnerability in OxYProject 0.85 due to improper input validation in the `edithistory.php` file. The attacker can inject PHP code into the chat history file (`oxyhistory.php`) via the `oxymsg` parameter, leading to arbitrary command execution.

Description

Static code injection vulnerability in edithistory.php in OxYProject OxYBox 0.85 allows remote attackers to inject arbitrary PHP code into oxyhistory.php via the oxymsg parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by GoLd_M · textwebappsphp
https://www.exploit-db.com/exploits/5524

This exploit demonstrates a remote code execution vulnerability in OxYProject 0.85 due to improper input validation in the `edithistory.php` file. The attacker can inject PHP code into the chat history file (`oxyhistory.php`) via the `oxymsg` parameter, leading to arbitrary command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: OxYProject 0.85
No auth needed
Prerequisites: Access to the `edithistory.php` endpoint · Ability to submit a crafted POST request
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/5524
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/28992
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/42110

Scores

EPSS 0.0350
EPSS Percentile 87.7%

Details

CWE
CWE-94
Status published
Products (1)
oxyproject/oxybox 0.85
Published Apr 07, 2009
Tracked Since Feb 18, 2026