CVE-2010-2246

feh < 1.8 - Remote Code Execution via URL Shell Metacharacters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-2246. PoCs published by anonymous.

AI-analyzed exploit summary The exploit leverages a command injection vulnerability in feh via the --wget-timestamp option, allowing arbitrary command execution by embedding shell commands in the URL. The provided example demonstrates creating a file 'lol_hax' through command injection.

Description

feh before 1.8, when the --wget-timestamp option is enabled, might allow remote attackers to execute arbitrary commands via shell metacharacters in a URL.

Exploits (1)

exploitdb WORKING POC VERIFIED
by anonymous · textremotelinux
https://www.exploit-db.com/exploits/34201

The exploit leverages a command injection vulnerability in feh via the --wget-timestamp option, allowing arbitrary command execution by embedding shell commands in the URL. The provided example demonstrates creating a file 'lol_hax' through command injection.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: feh (version not specified)
No auth needed
Prerequisites: feh installed on the target system · ability to pass crafted arguments to feh
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Various Sources x_refsource_confirm
http://derf.homelinux.org/git/feh/plain/ChangeLog
Exploit mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2010/06/28/4
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/41161
Exploit mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2010/06/25/4

Scores

EPSS 0.0662
EPSS Percentile 93.1%

Details

CWE
CWE-20
Status published
Products (23)
feh_project/feh 0.5.0
feh_project/feh 0.6.4
feh_project/feh 0.7.0
feh_project/feh 0.9.9
feh_project/feh 1.1.0
feh_project/feh 1.2.0
feh_project/feh 1.2.1
feh_project/feh 1.2.3
feh_project/feh 1.2.5
feh_project/feh 1.2.6
... and 13 more
Published May 26, 2011
Tracked Since Feb 18, 2026