CVE-2019-6339

CRITICAL

Drupal Core < 7.62 - Remote Code Execution via phar:// Stream Wrapper

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-6339. PoCs published by Vulnmachines.

AI-analyzed exploit summary This exploit leverages a PHP deserialization vulnerability in Drupal via a malicious Phar archive. It uses the GuzzleHttp\Psr7\FnStream class to trigger arbitrary code execution (phpinfo in this case) during object destruction.

Description

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

Exploits (1)

nomisec WORKING POC 6 stars

by Vulnmachines · poc

https://github.com/Vulnmachines/drupal-cve-2019-6339

View Code ZIP pw:eip

This exploit leverages a PHP deserialization vulnerability in Drupal via a malicious Phar archive. It uses the GuzzleHttp\Psr7\FnStream class to trigger arbitrary code execution (phpinfo in this case) during object destruction.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Drupal (specific version not specified in code)

No auth needed

Prerequisites: PHP environment with Phar extension enabled · Drupal instance vulnerable to CVE-2019-6339

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2019/dsa-4370

Patch, Vendor Advisory x_refsource_confirm

https://www.drupal.org/sa-core-2019-002

Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2019/02/msg00004.html

Scores

CVSS v3 9.8

EPSS 0.7609

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-20

Status published

Products (5)

debian/debian_linux 8.0

debian/debian_linux 9.0

drupal/core 7.0.0 - 7.62.0Packagist

drupal/drupal 7.0 - 7.62

drupal/drupal 7.0.0 - 7.62.0Packagist

Published Jan 22, 2019

Tracked Since Feb 18, 2026