CVE-2019-9580

MEDIUM

StackStorm Web UI <2.9.3, <2.10.3 - CSRF

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-9580. PoCs published by mpgn.

AI-analyzed exploit summary This PoC demonstrates a CORS misconfiguration in StackStorm versions prior to 2.9.3 and 2.10.3, allowing an attacker to exploit null origin requests to achieve RCE via the `core.remote` action. The exploit involves sending a malicious payload to execute arbitrary commands on the target host.

Description

In st2web in StackStorm Web UI before 2.9.3 and 2.10.x before 2.10.3, it is possible to bypass the CORS protection mechanism via a "null" origin value, potentially leading to XSS.

Exploits (1)

nomisec WORKING POC 31 stars
by mpgn · poc
https://github.com/mpgn/CVE-2019-9580

This PoC demonstrates a CORS misconfiguration in StackStorm versions prior to 2.9.3 and 2.10.3, allowing an attacker to exploit null origin requests to achieve RCE via the `core.remote` action. The exploit involves sending a malicious payload to execute arbitrary commands on the target host.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: StackStorm < 2.9.3 and 2.10.3
Auth required
Prerequisites: Valid authentication token · Victim interaction to trigger the malicious payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/StackStorm/st2/releases/tag/v2.9.3
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/StackStorm/st2/releases/tag/v2.10.3

Scores

CVSS v3 6.1
EPSS 0.0299
EPSS Percentile 85.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
stackstorm/stackstorm < 2.9.3
Published Mar 09, 2019
Tracked Since Feb 18, 2026