CVE-2019-18839

CRITICAL

FUDForum 3.0.9 - Stored Cross-Site Scripting and Remote Code Execution via nlogin Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-18839. PoCs published by fuzzlove-group.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2019-18839 and CVE-2019-18873, demonstrating stored XSS vulnerabilities in FUDForum 3.0.9 that can lead to remote code execution. The exploit leverages XSS via username and user-agent fields to execute arbitrary JavaScript, which then uploads a PHP shell to the target system.

Description

FUDForum 3.0.9 is vulnerable to Stored XSS via the nlogin parameter. This may result in remote code execution. An attacker can use a user account to fully compromise the system using a POST request. When the admin visits the user information, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.

Exploits (1)

gitlab WORKING POC
by fuzzlove-group · poc
https://gitlab.com/fuzzlove-group/FUDforum-XSS-RCE

This repository contains a functional exploit for CVE-2019-18839 and CVE-2019-18873, demonstrating stored XSS vulnerabilities in FUDForum 3.0.9 that can lead to remote code execution. The exploit leverages XSS via username and user-agent fields to execute arbitrary JavaScript, which then uploads a PHP shell to the target system.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: FUDForum 3.0.9
Auth required
Prerequisites: Registered user account · Admin interaction to trigger payload
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/fuzzlove/FUDforum-XSS-RCE

Scores

CVSS v3 9.0
EPSS 0.0544
EPSS Percentile 91.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-78 CWE-79
Status published
Products (1)
fudforum/fudforum 3.0.9
Published Nov 13, 2019
Tracked Since Feb 18, 2026