CVE-2018-20718

CRITICAL

Pydio < 8.2.2 - Unauthenticated Remote Code Execution via PHP Object Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-20718. PoCs published by us3r777.

AI-analyzed exploit summary This is a functional exploit for CVE-2018-20718, a PHP object injection vulnerability in Pydio before 8.2.1. It leverages deserialization via the `lang` parameter and a gadget chain to achieve unauthenticated remote code execution.

Description

In Pydio before 8.2.2, an attack is possible via PHP Object Injection because a user is allowed to use the $phpserial$a:0:{} syntax to store a preference. An attacker either needs a "public link" of a file, or access to any unprivileged user account for creation of such a link.

Exploits (1)

nomisec WORKING POC 3 stars

by us3r777 · poc

https://github.com/us3r777/CVE-2018-20718

View Code ZIP pw:eip

This is a functional exploit for CVE-2018-20718, a PHP object injection vulnerability in Pydio before 8.2.1. It leverages deserialization via the `lang` parameter and a gadget chain to achieve unauthenticated remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pydio < 8.2.1

No auth needed

Prerequisites: Public share URL · Share ID · Serialized PHP payload (e.g., generated with PHPGGC)

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://blog.ripstech.com/2018/pydio-unauthenticated-remote-code-execution/

Scores

CVSS v3 9.8

EPSS 0.0373

EPSS Percentile 88.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (1)

pydio/pydio < 8.2.2

Published Jan 15, 2019

Tracked Since Feb 18, 2026