CVE-2018-6411

CRITICAL

MachForm - Unrestricted Upload of File with Dangerous Type via SQL Injection in ap_form_elements

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-6411. PoCs published by Amine Taouirsa.

AI-analyzed exploit summary This exploit demonstrates SQL injection (CVE-2018-6410), path traversal (CVE-2018-6409), and file upload filter bypass (CVE-2018-6411) in MachForm. It includes proof-of-concept payloads for extracting user emails, downloading arbitrary files, and bypassing file upload restrictions.

Description

An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Amine Taouirsa · textwebappsphp
https://www.exploit-db.com/exploits/44804

This exploit demonstrates SQL injection (CVE-2018-6410), path traversal (CVE-2018-6409), and file upload filter bypass (CVE-2018-6411) in MachForm. It includes proof-of-concept payloads for extracting user emails, downloading arbitrary files, and bypassing file upload restrictions.

Classification
Working Poc 95%
Attack Type
Sqli | Info Leak | Other
Complexity
Moderate
Reliability
Reliable
Target: MachForm (versions prior to 4.2.3)
No auth needed
Prerequisites: Access to the target MachForm installation · Base64 encoding/decoding capability
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://metalamin.github.io/MachForm-not-0-day-EN/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44804/
Release Notes, Vendor Advisory x_refsource_misc
https://www.machform.com/blog-machform-423-security-release/

Scores

CVSS v3 9.8
EPSS 0.0588
EPSS Percentile 92.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
machform/machform 4.2.3
Published May 26, 2018
Tracked Since Feb 18, 2026