CVE-2009-1278

Gravity Board X 2.0 BETA - Remote Code Injection via Configure Action

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-1278. PoCs published by brain[pillow].

AI-analyzed exploit summary The exploit demonstrates SQL injection and remote code execution vulnerabilities in Gravity Board X v2.0 BETA. SQLi is achieved via crafted member_id and board_id parameters, while RCE is possible through admin panel input manipulation.

Description

Static code injection vulnerability in forms/ajax/configure.php in Gravity Board X (GBX) 2.0 BETA allows remote attackers to inject arbitrary PHP code into config.php via the configure action to index.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by brain[pillow] · textwebappsphp

https://www.exploit-db.com/exploits/8350

View Code ZIP pw:eip

The exploit demonstrates SQL injection and remote code execution vulnerabilities in Gravity Board X v2.0 BETA. SQLi is achieved via crafted member_id and board_id parameters, while RCE is possible through admin panel input manipulation.

Classification

Working Poc 95%

Attack Type

Sqli | Rce

Complexity

Trivial

Reliability

Reliable

Target: Gravity Board X v2.0 BETA

Auth required

Prerequisites: Access to admin panel for RCE · Target running Gravity Board X v2.0 BETA

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1105 - Ingress Tool Transfer

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/34370

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/49679

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/8350

Scores

EPSS 0.0231

EPSS Percentile 81.2%

Details

CWE

CWE-94

Status published

Products (1)

gravityboardx/gravity_board_x 2.0 beta

Published Apr 09, 2009

Tracked Since Feb 18, 2026