CVE-2020-26217

HIGH NUCLEI

Xstream < 1.4.14 - OS Command Injection

Title source: rule

Description

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Exploits (9)

github WORKING POC 5 stars

by JAckLosingHeart · javapoc

https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/xstream-CVE-2020-26217

View Code ZIP pw:eip

nomisec WORKING POC 4 stars

by novysodope · poc

https://github.com/novysodope/CVE-2020-26217-XStream-RCE-POC

View Code ZIP pw:eip

nomisec WORKING POC 3 stars

by Al1ex · poc

https://github.com/Al1ex/CVE-2020-26217

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by Kairo-one · poc

https://github.com/Kairo-one/CVE-2020-26217-XStream

View Code ZIP pw:eip

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2020-26217-xstream-vulnerable

View Code ZIP pw:eip

nomisec STUB

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2020-26217-xstream-vulnerable

View Code ZIP pw:eip

nomisec WORKING POC

by shoucheng3 · poc

https://github.com/shoucheng3/x-stream__xstream_CVE-2020-26217_1-4-14-java77

View Code ZIP pw:eip

nomisec STUB

by cuijiung · poc

https://github.com/cuijiung/xstream-CVE-2020-26217

View Code ZIP pw:eip

nomisec STUB

by epicosy · poc

https://github.com/epicosy/XStream-1

View Code ZIP pw:eip

Nuclei Templates (1)

XStream <1.4.14 - Remote Code Execution

HIGHby pwnhxl,vicrack

References (15)

[Patch, Third Party Advisory] https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a

[Mitigation, Third Party Advisory] https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2

[Issue Tracking, Mailing List] https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E

[Issue Tracking, Mailing List] https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E

[Issue Tracking, Mailing List] https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E

[Issue Tracking, Mailing List] https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210409-0004/

[Third Party Advisory] https://www.debian.org/security/2020/dsa-4811

[Patch, Third Party Advisory] https://www.oracle.com//security-alerts/cpujul2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuApr2021.html

[Not Applicable, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Not Applicable, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2021.html

[Exploit, Mitigation, Vendor Advisory] https://x-stream.github.io/CVE-2020-26217.html

Scores

CVSS v3 8.0

EPSS 0.9301

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (37)

apache/activemq 5.16.0

apache/activemq < 5.15.14

com.thoughtworks.xstream/xstream 0 - 1.4.14-java7Maven

debian/debian_linux 9.0

debian/debian_linux 10.0

netapp/snapmanager (2 CPE variants)

oracle/banking_cash_management 14.2

oracle/banking_cash_management 14.3

oracle/banking_cash_management 14.5

oracle/banking_corporate_lending_process_management 14.2

... and 27 more

Published Nov 16, 2020

Tracked Since Feb 18, 2026