CVE-2022-35649

CRITICAL

Moodle - Remote Code Execution via Ghostscript PostScript Parsing

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-35649. PoCs published by antoinenguyen-09.

AI-analyzed exploit summary This repository contains a Python 2 script that generates a malicious payload for CVE-2022-35649, a vulnerability in GhostScript 9.50 that can lead to remote code execution (RCE) when exploited via ImageMagick. The payload leverages GhostScript's file handling to execute arbitrary commands.

Description

The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Exploits (1)

nomisec WORKING POC
by antoinenguyen-09 · poc
https://github.com/antoinenguyen-09/CVE-2022-35649

This repository contains a Python 2 script that generates a malicious payload for CVE-2022-35649, a vulnerability in GhostScript 9.50 that can lead to remote code execution (RCE) when exploited via ImageMagick. The payload leverages GhostScript's file handling to execute arbitrary commands.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: GhostScript 9.50 (via ImageMagick on Ubuntu 20.04)
No auth needed
Prerequisites: GhostScript 9.50 with vulnerable configuration · ImageMagick with default settings on Ubuntu 20.04
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.0748
EPSS Percentile 92.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20 CWE-94
Status published
Products (4)
fedoraproject/fedora 35
fedoraproject/fedora 36
moodle/moodle 3.9 - 3.9.15Packagist
moodle/moodle 3.9.0 - 3.9.15
Published Jul 25, 2022
Tracked Since Feb 18, 2026