CVE-2018-6409

MEDIUM

MachForm < 4.2.3 - Path Traversal via download.php q Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-6409. PoCs published by Amine Taouirsa.

AI-analyzed exploit summary This exploit demonstrates SQL injection (CVE-2018-6410), path traversal (CVE-2018-6409), and file upload filter bypass (CVE-2018-6411) in MachForm. It includes proof-of-concept payloads for extracting user emails, downloading arbitrary files, and bypassing file upload restrictions.

Description

An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Amine Taouirsa · textwebappsphp
https://www.exploit-db.com/exploits/44804

This exploit demonstrates SQL injection (CVE-2018-6410), path traversal (CVE-2018-6409), and file upload filter bypass (CVE-2018-6411) in MachForm. It includes proof-of-concept payloads for extracting user emails, downloading arbitrary files, and bypassing file upload restrictions.

Classification
Working Poc 95%
Attack Type
Sqli | Info Leak | Other
Complexity
Moderate
Reliability
Reliable
Target: MachForm (versions prior to 4.2.3)
No auth needed
Prerequisites: Access to the target MachForm installation · Base64 encoding/decoding capability
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://metalamin.github.io/MachForm-not-0-day-EN/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44804/
Release Notes, Vendor Advisory x_refsource_misc
https://www.machform.com/blog-machform-423-security-release/

Scores

CVSS v3 5.3
EPSS 0.1476
EPSS Percentile 96.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-22
Status published
Products (1)
machform/machform 4.2.3
Published May 26, 2018
Tracked Since Feb 18, 2026