CVE-2011-1774

Cross Platform Webkit File Dropper

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2011-1774. PoCs published by Metasploit, Nicolas Gregoire, including Metasploit module auxiliary/server/webkit_xslt_dropper.

AI-analyzed exploit summary This Metasploit module exploits a file creation vulnerability in WebKit's libxslt (CVE-2011-1774) by redirecting XSLT transformation output to arbitrary files. It achieves RCE by uploading a VBS payload and a MOF file to trigger Windows Management Instrumentation execution.

Description

WebKit in Apple Safari before 5.0.6 has improper libxslt security settings, which allows remote attackers to create arbitrary files, and consequently execute arbitrary code, via a crafted web site. NOTE: this may overlap CVE-2011-1425.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/17993

This Metasploit module exploits a file creation vulnerability in WebKit's libxslt (CVE-2011-1774) by redirecting XSLT transformation output to arbitrary files. It achieves RCE by uploading a VBS payload and a MOF file to trigger Windows Management Instrumentation execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apple Safari (WebKit libxslt) Version 5.0.x on Windows XP
No auth needed
Prerequisites: Target must be using Safari 5.0.x on Windows XP · Target must visit attacker-controlled web page
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC
by Nicolas Gregoire · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/webkit_xslt_dropper.rb

This Metasploit module exploits CVE-2011-1774, a WebKit XSLT vulnerability, to drop arbitrary files on the target filesystem. It serves an XML payload with embedded XSLT that writes user-specified content to a specified path.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: WebKit-based browsers (e.g., Safari, Chrome prior to fix)
No auth needed
Prerequisites: Target must visit a malicious webpage or open a crafted XML file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Nicolas Gregoire · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/safari_xslt_output.rb

This Metasploit module exploits CVE-2011-1774, a file creation vulnerability in WebKit's libxslt, by redirecting XSLT transformation output to arbitrary files. It achieves RCE by uploading a VBS payload and a MOF file to trigger Windows Management Instrumentation execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apple Safari (WebKit libxslt) on Windows before Vista
No auth needed
Prerequisites: Target must be running Safari with WebKit libxslt on Windows NT 5.1 (e.g., Windows XP)
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/8481
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT4981
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00000.html
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT4999
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT4808
Patch, Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2011//Jul/msg00002.html

Scores

EPSS 0.4320
EPSS Percentile 98.6%

Details

CWE
CWE-20
Status published
Products (40)
apple/safari 1.0 (3 CPE variants)
apple/safari 1.0.0
apple/safari 1.0.0b1
apple/safari 1.0.0b2
apple/safari 1.0.1
apple/safari 1.0.2
apple/safari 1.0.3 (3 CPE variants)
apple/safari 1.1
apple/safari 1.1.0
apple/safari 1.1.1
... and 30 more
Published Jul 21, 2011
Tracked Since Feb 18, 2026