CVE-2013-7285

CRITICAL NUCLEI

Xstream API <1.4.6, 1.4.10 - RCE

Title source: llm

Description

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

Exploits (2)

exploitdb WORKING POC
by Brian D. Hysell · textwebappsjava
https://www.exploit-db.com/exploits/39193
nomisec STUB
by shoucheng3 · poc
https://github.com/shoucheng3/x-stream__xstream_CVE-2013-7285_1-4-6

Nuclei Templates (1)

XStream <1.4.6/1.4.10 - Remote Code Execution
CRITICALby pwnhxl,vicrack

References (9)

Scores

CVSS v3 9.8
EPSS 0.1482
EPSS Percentile 94.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (5)
apache/activemq 5.15.8
com.thoughtworks.xstream/xstream 0 - 1.4.7Maven
oracle/endeca_information_discovery_studio 3.2.0
xstream/xstream 1.4.10
xstream/xstream < 1.4.6
Published May 15, 2019
Tracked Since Feb 18, 2026