CVE-2015-10141
CRITICAL NUCLEIXdebug <2.5.5 - Command Injection
Title source: llmDescription
An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.
Exploits (4)
exploitdb
WORKING POC
VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/44568
metasploit
WORKING POC
EXCELLENT
by Ricter Zheng, Shaksham Jaiswal, Mumbai · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/xdebug_unauth_exec.rb
Nuclei Templates (1)
Xdebug <= 2.5.5 - Command Injection
CRITICALVERIFIEDby pwnhxl
References (6)
Scores
CVSS v4
9.3
EPSS
0.5364
EPSS Percentile
98.0%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Details
CWE
CWE-306
CWE-78
Status
published
Products (1)
Xdebug/Xdebug
< 2.5.5
Published
Jul 23, 2025
Tracked Since
Feb 18, 2026