CVE-2018-16431
HIGHYFCMF v3.0 - Cross-Site Request Forgery in Admin Account Creation
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2018-16431. PoCs published by Rhyru9.
AI-analyzed exploit summary This repository contains a functional exploit for CVE-2018-16341, an authentication bypass leading to remote code execution in Nuxeo. The PoC leverages template injection to execute arbitrary commands on UNIX and Windows systems via Java Runtime exec calls.
Description
admin/admin/adminsave.html in YFCMF v3.0 allows CSRF to add an administrator account.
Exploits (1)
nomisec
WORKING POC
by Rhyru9 · poc
https://github.com/Rhyru9/CVE-2018-16431
This repository contains a functional exploit for CVE-2018-16341, an authentication bypass leading to remote code execution in Nuxeo. The PoC leverages template injection to execute arbitrary commands on UNIX and Windows systems via Java Runtime exec calls.
Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target:
Nuxeo (version not specified)
No auth needed
Prerequisites:
Network access to the Nuxeo instance · Vulnerable Nuxeo version
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (1)
Core 1
Core References
Exploit, Third Party Advisory, URL Repurposed x_refsource_misc
http://hpdoger.me/2018/08/23/Csrf%20in%20YFCMF%203.0/
Scores
CVSS v3
8.8
EPSS
0.0084
EPSS Percentile
53.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (1)
yfcmf/yfcmf
3.0
Published
Sep 04, 2018
Tracked Since
Feb 18, 2026