CVE-2018-11652

CRITICAL

Nikto <2.1.6 - Command Injection

Title source: llm

Description

CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report.

Exploits (1)

exploitdb WORKING POC

by Adam Greenhill · textlocallinux

https://www.exploit-db.com/exploits/44899

View Code ZIP pw:eip

References (2)

[Patch, Third Party Advisory] https://github.com/sullo/nikto/commit/e759b3300aace5314fe3d30800c8bd83c81c29f7

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/44899/

Scores

CVSS v3 9.8

EPSS 0.2165

EPSS Percentile 95.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-1236

Status published

Products (1)

cirt.net/nikto < 2.1.6

Published Jun 01, 2018

Tracked Since Feb 18, 2026