CVE-2013-1436

xmonad-contrib < 0.11.2 - Remote Code Execution via Web Page Title

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-1436. PoCs published by Joachim Breitner.

AI-analyzed exploit summary This exploit leverages a command injection vulnerability in the XMonad.Hooks.DynamicLog module by embedding malicious commands within HTML tags. The PoC demonstrates arbitrary command execution via crafted HTML titles.

Description

The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 allows remote attackers to execute arbitrary commands via a web page title, which activates the commands when the user clicks on the xmobar window title, as demonstrated using an action tag.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Joachim Breitner · htmlremotelinux
https://www.exploit-db.com/exploits/38680

This exploit leverages a command injection vulnerability in the XMonad.Hooks.DynamicLog module by embedding malicious commands within HTML tags. The PoC demonstrates arbitrary command execution via crafted HTML titles.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: XMonad.Hooks.DynamicLog module for xmonad
No auth needed
Prerequisites: Victim must process the malicious HTML file with a vulnerable version of XMonad.Hooks.DynamicLog
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

EPSS 0.0898
EPSS Percentile 94.6%

Details

CWE
CWE-94
Status published
Products (2)
xmonad/xmonad-contrab 0.11
xmonad/xmonad-contrab < 0.11.1
Published Oct 06, 2014
Tracked Since Feb 18, 2026