CVE-2009-4115

CutePHP CuteNews 1.4.6 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4115. PoCs published by rgod.

AI-analyzed exploit summary This exploit targets CVE-2009-4115 in CuteNews 1.4.1, leveraging a shell injection vulnerability to execute arbitrary commands. It injects a PHP shell into 'ipban.db.php' via a malformed request and then triggers command execution through the injected shell.

Description

Multiple static code injection vulnerabilities in the Categories module in CutePHP CuteNews 1.4.6 allow remote authenticated users with application administrative privileges to inject arbitrary PHP code into data/category.db.php via the (1) category and (2) Icon URL fields; or (3) inject arbitrary PHP code into data/ipban.php via the add_ip parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by rgod · phpwebappsphp
https://www.exploit-db.com/exploits/1289

This exploit targets CVE-2009-4115 in CuteNews 1.4.1, leveraging a shell injection vulnerability to execute arbitrary commands. It injects a PHP shell into 'ipban.db.php' via a malformed request and then triggers command execution through the injected shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CuteNews 1.4.1
No auth needed
Prerequisites: Target must be running CuteNews 1.4.1 with vulnerable configuration · PHP settings like 'register_globals' and 'allow_call_time_pass_reference' may need to be enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/54243
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/507782/100/0/threaded

Scores

EPSS 0.0200
EPSS Percentile 78.1%

Details

CWE
CWE-94
Status published
Products (1)
cutephp/cutenews 1.4.6
Published Nov 30, 2009
Tracked Since Feb 18, 2026