CVE-2019-5029

CRITICAL

Exhibitor Web UI <1.7.1 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2019-5029. PoCs published by Logan Sanderson, thehunt1s0n, yZee00.

AI-analyzed exploit summary This exploit demonstrates a command injection vulnerability in Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands can be executed by injecting them into the 'java.env script' field, which are then passed unmodified to the Java command launching ZooKeeper.

Description

An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted into the editor and will be executed by the Exhibitor process when it launches ZooKeeper. An attacker can execute any command as the user running the Exhibitor process.

Exploits (3)

exploitdb WORKING POC
by Logan Sanderson · textwebappsjava
https://www.exploit-db.com/exploits/48654

This exploit demonstrates a command injection vulnerability in Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands can be executed by injecting them into the 'java.env script' field, which are then passed unmodified to the Java command launching ZooKeeper.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Exhibitor Web UI 1.0.9 to 1.7.1
No auth needed
Prerequisites: Network access to the Exhibitor Web UI · Exhibitor Web UI exposed on a reachable port
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by thehunt1s0n · poc
https://github.com/thehunt1s0n/Exihibitor-RCE

This repository contains a functional exploit for CVE-2019-5029, targeting Exhibitor Web UI 1.7.1. The exploit leverages command injection via the 'javaEnvironment' parameter in a POST request to achieve remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Exhibitor Web UI 1.7.1
No auth needed
Prerequisites: Network access to the target Exhibitor Web UI · A listener set up on the attacker's machine to receive the reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by yZee00 · poc
https://github.com/yZee00/CVE-2019-5029

This repository contains a Python script PoC for CVE-2019-5029, which exploits a Remote Code Execution (RCE) vulnerability in Exhibitor Web UI version 1.7.1. The script is designed to be executed with target and attacker IP/port details.

Classification
Working Poc 80%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Exhibitor Web UI 1.7.1
No auth needed
Prerequisites: Target IP and port · Attacker IP and port
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0790

Scores

CVSS v3 9.8
EPSS 0.5715
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (1)
exhibitor_project/exhibitor 1.0.9 - 1.7.1
Published Nov 13, 2019
Tracked Since Feb 18, 2026