CVE-2013-1412

DataLife Engine 9.7 - Remote Code Execution via catlist[] Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2013-1412. PoCs published by Metasploit, EgiX, EgiX, juan vazquez, including Metasploit module exploits/unix/webapp/datalife_preview_exec.

AI-analyzed exploit summary This Metasploit module exploits a PHP code injection vulnerability in DataLife Engine 9.7 via insecure usage of preg_replace() with the e modifier in preview.php. It injects arbitrary PHP code when the template contains a [catlist] or [not-catlist] tag.

Description

DataLife Engine (DLE) 9.7 allows remote attackers to execute arbitrary PHP code via the catlist[] parameter to engine/preview.php, which is used in a preg_replace function call with an e modifier.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/24444

This Metasploit module exploits a PHP code injection vulnerability in DataLife Engine 9.7 via insecure usage of preg_replace() with the e modifier in preview.php. It injects arbitrary PHP code when the template contains a [catlist] or [not-catlist] tag.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: DataLife Engine 9.7
No auth needed
Prerequisites: Target must be running DataLife Engine 9.7 with a vulnerable template tag
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by EgiX · textwebappsphp
https://www.exploit-db.com/exploits/24438

The writeup describes a PHP code injection vulnerability in DataLife Engine 9.7 due to improper sanitization of the 'catlist' parameter in the /engine/preview.php script, allowing arbitrary PHP code execution via preg_replace with the e modifier.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: DataLife Engine 9.7
No auth needed
Prerequisites: A template containing a 'catlist' or 'not-catlist' tag
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by EgiX, juan vazquez · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/datalife_preview_exec.rb

This Metasploit module exploits a PHP code injection vulnerability in DataLife Engine 9.7 via insecure usage of preg_replace() with the e modifier in preview.php. It allows arbitrary PHP code execution when a template with [catlist] or [not-catlist] tags is present.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: DataLife Engine 9.7
No auth needed
Prerequisites: A template with [catlist] or [not-catlist] tags must exist
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/57603
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/24444
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/89662
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/24438
Exploit mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2013-01/0117.html
Exploit x_refsource_misc
http://karmainsecurity.com/KIS-2013-01
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/51971

Scores

EPSS 0.4047
EPSS Percentile 98.5%

Details

CWE
CWE-94
Status published
Products (1)
dleviet/datalife_engine 9.7
Published Jun 02, 2014
Tracked Since Feb 18, 2026