CVE-2018-11686

CRITICAL EXPLOITED NUCLEI

Flowpaper Flexpaper < 2.3.6 - Improper Input Validation

Title source: rule

Description

The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.

Exploits (2)

exploitdb WORKING POC
by redtimmysec · pythonwebappsphp
https://www.exploit-db.com/exploits/46528
nomisec WORKING POC 6 stars
by mpgn · remote
https://github.com/mpgn/CVE-2018-11686

Nuclei Templates (1)

FlexPaper/FlowPaper 2.3.6 - Remote Code Execution
CRITICALVERIFIEDby iamnoooob,pdresearch,pszyszkowski
Shodan: title:"FlexPaper"
FOFA: title="FlexPaper"

References (2)

Scores

CVSS v3 9.8
EPSS 0.9264
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-11-14
CWE
CWE-20
Status published
Products (1)
flowpaper/flexpaper < 2.3.6
Published Jul 03, 2019
Tracked Since Feb 18, 2026