CVE-2019-17625

CRITICAL

Rambox 0.6.9 - Stored Cross-Site Scripting and OS Command Injection via Service Name Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-17625. PoCs published by Ekultek.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2019-17625, a stored XSS vulnerability in Rambox 0.6.9 that allows remote code execution via crafted service names. The exploit uses a malicious payload injected into a Discord service configuration to execute OS commands via NodeJS.

Description

There is a stored XSS in Rambox 0.6.9 that can lead to code execution. The XSS is in the name field while adding/editing a service. The problem occurs due to incorrect sanitization of the name field when being processed and stored. This allows a user to craft a payload for Node.js and Electron, such as an exec of OS commands within the onerror attribute of an IMG element.

Exploits (1)

nomisec WORKING POC 19 stars
by Ekultek · poc
https://github.com/Ekultek/CVE-2019-17625

This repository contains a functional exploit for CVE-2019-17625, a stored XSS vulnerability in Rambox 0.6.9 that allows remote code execution via crafted service names. The exploit uses a malicious payload injected into a Discord service configuration to execute OS commands via NodeJS.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Rambox 0.6.9
No auth needed
Prerequisites: Victim must add a malicious service in Rambox · System must have `mkfifo` and `nc` for the reverse shell payload
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/ramboxapp/community-edition/issues/2418

Scores

CVSS v3 9.0
EPSS 0.0481
EPSS Percentile 89.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-78 CWE-79
Status published
Products (2)
npm/Rambox 0npm
rambox/rambox 0.6.9
Published Oct 16, 2019
Tracked Since Feb 18, 2026