CVE-2018-16431

HIGH

YFCMF v3.0 - Cross-Site Request Forgery in Admin Account Creation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-16431. PoCs published by Rhyru9.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2018-16341, an authentication bypass leading to remote code execution in Nuxeo. The PoC leverages template injection to execute arbitrary commands on UNIX and Windows systems via Java Runtime exec calls.

Description

admin/admin/adminsave.html in YFCMF v3.0 allows CSRF to add an administrator account.

Exploits (1)

nomisec WORKING POC
by Rhyru9 · poc
https://github.com/Rhyru9/CVE-2018-16431

This repository contains a functional exploit for CVE-2018-16341, an authentication bypass leading to remote code execution in Nuxeo. The PoC leverages template injection to execute arbitrary commands on UNIX and Windows systems via Java Runtime exec calls.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Nuxeo (version not specified)
No auth needed
Prerequisites: Network access to the Nuxeo instance · Vulnerable Nuxeo version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory, URL Repurposed x_refsource_misc
http://hpdoger.me/2018/08/23/Csrf%20in%20YFCMF%203.0/

Scores

CVSS v3 8.8
EPSS 0.0084
EPSS Percentile 53.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
yfcmf/yfcmf 3.0
Published Sep 04, 2018
Tracked Since Feb 18, 2026