CVE-2018-3786

CRITICAL

egg-scripts < 2.8.1 - OS Command Injection via Command Line Argument

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-3786. PoCs published by erik-krogh.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2018-3786, a vulnerability in the egg-scripts package. The exploit demonstrates how arbitrary command execution can be achieved due to improper handling of user input in the start command.

Description

A command injection vulnerability in egg-scripts <v2.8.1 allows arbitrary shell command execution through a maliciously crafted command line argument.

Exploits (1)

nomisec WORKING POC
by erik-krogh · poc
https://github.com/erik-krogh/egg-scripts-CVE-2018-3786

This repository contains a proof-of-concept exploit for CVE-2018-3786, a vulnerability in the egg-scripts package. The exploit demonstrates how arbitrary command execution can be achieved due to improper handling of user input in the start command.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: egg-scripts < 2.9.0
No auth needed
Prerequisites: Node.js environment · egg-scripts package installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/eggjs/egg-scripts/pull/26
Exploit, Patch, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/388936
Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/eggjs/egg-scripts/blob/2.8.1/History.md

Scores

CVSS v3 9.8
EPSS 0.1001
EPSS Percentile 93.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78 CWE-77
Status published
Products (2)
eggjs/egg-scripts < 2.8.1
npm/egg-scripts 0 - 2.8.1npm
Published Aug 24, 2018
Tracked Since Feb 18, 2026