CVE-2018-14772

HIGH

Pydio <8.2.1 - Authenticated Command Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-14772. PoCs published by killvxk.

AI-analyzed exploit summary This is a functional exploit for CVE-2018-14772, a remote code execution vulnerability in Pydio. It leverages command injection in a plugin setting field to achieve RCE, requiring administrator credentials.

Description

Pydio 4.2.1 through 8.2.1 has an authenticated remote code execution vulnerability in which an attacker with administrator access to the web application can execute arbitrary code on the underlying system via Command Injection.

Exploits (1)

nomisec WORKING POC 1 stars

by killvxk · poc

https://github.com/killvxk/CVE-2018-14772

View Code ZIP pw:eip

This is a functional exploit for CVE-2018-14772, a remote code execution vulnerability in Pydio. It leverages command injection in a plugin setting field to achieve RCE, requiring administrator credentials.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pydio Filesystem Manager

Auth required

Prerequisites: Pydio administrator credentials · Network access to the Pydio instance

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Patch, Technical Description, Third Party Advisory x_refsource_misc

http://coastalsec.io/cve-2018-14772-remote-code-execution

Scores

CVSS v3 7.2

EPSS 0.3276

EPSS Percentile 97.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

pydio/pydio 4.2.1 - 8.2.1

Published Oct 16, 2018

Tracked Since Feb 18, 2026