CVE-2019-19609

Exploitation Summary

CVE-2019-19609 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 9 public exploits from researchers including David Utón, diego-tella, ebadfd.

AI-analyzed exploit summary This exploit targets Strapi CMS versions up to 3.0.0-beta.17.7, leveraging an authenticated RCE vulnerability via plugin installation. It sends a malicious payload through the `/admin/plugins/install` endpoint, executing arbitrary commands and establishing a reverse shell.

Description

The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.

Exploits (9)

exploitdb WORKING POC

by David Utón · pythonwebappsmultiple

https://www.exploit-db.com/exploits/50238

View Code ZIP pw:eip

This exploit targets Strapi CMS versions up to 3.0.0-beta.17.7, leveraging an authenticated RCE vulnerability via plugin installation. It sends a malicious payload through the `/admin/plugins/install` endpoint, executing arbitrary commands and establishing a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Strapi CMS <= 3.0.0-beta.17.7

Auth required

Prerequisites: Valid JWT token · Network access to target · Netcat listener on attacker machine

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 9 stars

by diego-tella · remote-auth

https://github.com/diego-tella/CVE-2019-19609-EXPLOIT

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-19609, a remote code execution vulnerability in Strapi versions 3.0.0-beta.17.7 and earlier. The exploit leverages a vulnerable plugin installation endpoint to execute arbitrary commands via a crafted JSON payload, resulting in a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Strapi <= 3.0.0-beta.17.7

Auth required

Prerequisites: Valid JWT token for authentication · Network access to the target Strapi instance

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC 7 stars

by ebadfd · remote-auth

https://github.com/ebadfd/CVE-2019-19609

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-19609, a remote code execution vulnerability in the Strapi Framework. The exploit leverages a command injection flaw in the plugin installation feature, allowing an attacker to execute arbitrary commands via a crafted JSON payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Strapi Framework (strapi-3.0.0-beta.17.7 and earlier)

Auth required

Prerequisites: Valid JWT token for authentication · Network connectivity to the target Strapi instance · Listener set up on the attacker's machine

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC 2 stars

by glowbase · poc

https://github.com/glowbase/CVE-2019-19609

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-19609, targeting Strapi CMS 3.0.0-beta.17.4. The exploit chains password reset (CVE-2019-18818) with command injection to achieve unauthenticated RCE via plugin installation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Strapi CMS version 3.0.0-beta.17.4 or lower

No auth needed

Prerequisites: Network access to Strapi admin interface · Netcat listener for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by RamPanic · remote

https://github.com/RamPanic/CVE-2019-19609-EXPLOIT

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-19609, targeting Strapi CMS versions 3.0.0-beta.17.4 and below. The exploit chains a password reset vulnerability with a remote code execution (RCE) payload to achieve unauthenticated RCE via a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Strapi CMS version 3.0.0-beta.17.4 or lower

No auth needed

Prerequisites: Network access to the target Strapi CMS instance · Target must be running a vulnerable version of Strapi CMS

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by n000xy · remote

https://github.com/n000xy/CVE-2019-19609-POC-Python

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2019-19609, which targets Strapi CMS. The exploit resets the admin password, obtains a JWT token, and executes a reverse shell payload via the plugin installation endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Strapi CMS (versions prior to 3.0.0-beta.17.7)

No auth needed

Prerequisites: Network access to the target Strapi instance · Python environment with required libraries (requests, jwt)

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1078 - Valid Accounts T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by D3m0nicw0lf · remote

https://github.com/D3m0nicw0lf/CVE-2019-19609

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-19609, a remote code execution vulnerability in Strapi. The exploit leverages a malicious plugin installation via a crafted JSON payload to execute arbitrary commands on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Strapi (versions prior to fix)

Auth required

Prerequisites: Valid JWT token for authentication · Network access to the Strapi admin interface

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by guglia001 · remote

https://github.com/guglia001/CVE-2019-19609

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2019-19609, an authenticated remote code execution vulnerability in Strapi <= 3.0.0-beta.17.8. The exploit leverages command injection via the 'plugin' parameter in the '/admin/plugins/install' endpoint to execute a reverse shell payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Strapi <= 3.0.0-beta.17.8

Auth required

Prerequisites: Valid authentication token · Network access to the target Strapi instance

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/Hackhoven/Strapi-RCE

View Code ZIP pw:eip

This repository contains a functional exploit script that chains CVE-2019-18818 (password reset vulnerability) and CVE-2019-19609 (RCE via plugin installation) to achieve unauthenticated remote code execution in Strapi CMS. The script automates the process of obtaining a JWT token and executing a reverse shell payload.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Strapi CMS versions 3.0.0-beta.17.4 and lower

No auth needed

Prerequisites: Target URL · Attacker's LHOST · Attacker's LPORT

MITRE ATT&CK