CVE-2020-26217

HIGH NUCLEI

Xstream < 1.4.14 - OS Command Injection

Title source: rule

Description

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Exploits (8)

github WORKING POC 5 stars

by JAckLosingHeart · javapoc

https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/xstream-CVE-2020-26217

View Code ZIP pw:eip

nomisec WORKING POC 4 stars

by novysodope · poc

https://github.com/novysodope/CVE-2020-26217-XStream-RCE-POC

View Code ZIP pw:eip

nomisec WORKING POC 3 stars

by Al1ex · poc

https://github.com/Al1ex/CVE-2020-26217

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by Kairo-one · poc

https://github.com/Kairo-one/CVE-2020-26217-XStream

View Code ZIP pw:eip

nomisec WORKING POC

by shoucheng3 · poc

https://github.com/shoucheng3/x-stream__xstream_CVE-2020-26217_1-4-14-java77

View Code ZIP pw:eip

nomisec STUB

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2020-26217-xstream-vulnerable

View Code ZIP pw:eip

nomisec STUB

by cuijiung · poc

https://github.com/cuijiung/xstream-CVE-2020-26217

View Code ZIP pw:eip

nomisec STUB

by epicosy · poc

https://github.com/epicosy/XStream-1

View Code ZIP pw:eip

Nuclei Templates (1)

XStream <1.4.14 - Remote Code Execution

HIGHby pwnhxl,vicrack

References (15)

[Patch, Third Party Advisory] https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a

[Mitigation, Third Party Advisory] https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2

[Issue Tracking, Mailing List] https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E

[Issue Tracking, Mailing List] https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E

[Issue Tracking, Mailing List] https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E

[Issue Tracking, Mailing List] https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210409-0004/

[Third Party Advisory] https://www.debian.org/security/2020/dsa-4811

[Patch, Third Party Advisory] https://www.oracle.com//security-alerts/cpujul2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuApr2021.html

[Not Applicable, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Not Applicable, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2021.html

[Exploit, Mitigation, Vendor Advisory] https://x-stream.github.io/CVE-2020-26217.html

Scores

CVSS v3 8.0

EPSS 0.9357

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Classification

CWE

CWE-78

Status published

Affected Products (38)

xstream/xstream < 1.4.14

debian/debian_linux

debian/debian_linux

netapp/snapmanager

netapp/snapmanager

apache/activemq < 5.15.14

apache/activemq

oracle/banking_cash_management

oracle/banking_cash_management

oracle/banking_cash_management

oracle/banking_corporate_lending_process_management

oracle/banking_corporate_lending_process_management

oracle/banking_corporate_lending_process_management

oracle/banking_credit_facilities_process_management

oracle/banking_credit_facilities_process_management

... and 23 more

Timeline

Published Nov 16, 2020

Tracked Since Feb 18, 2026