CVE-2022-35914

CRITICAL KEV NUCLEI

GLPI htmLawed php command injection

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2022-35914 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 7, 2023. EIP tracks 11 public exploits from researchers including Miguel Redondo, cosad3s, senderend, including a Metasploit module exploits/linux/http/glpi_htmlawed_php_injection. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a Remote Code Execution (RCE) vulnerability in htmlLawed <= 1.2.5 by sending a crafted POST request with a command embedded in the 'text' parameter. The response is parsed to extract the command output.

Description

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.

Exploits (11)

exploitdb WORKING POC
by Miguel Redondo · bashwebappsphp
https://www.exploit-db.com/exploits/52023

This exploit leverages a Remote Code Execution (RCE) vulnerability in htmlLawed <= 1.2.5 by sending a crafted POST request with a command embedded in the 'text' parameter. The response is parsed to extract the command output.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: htmlLawed <= 1.2.5
No auth needed
Prerequisites: Target URL with vulnerable htmlLawed instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 49 stars
by cosad3s · remote
https://github.com/cosad3s/CVE-2022-35914-poc

This repository contains a functional Python exploit for CVE-2022-35914, which targets a command injection vulnerability in GLPI via a third-party library script. The exploit automates the process of checking for vulnerability and executing arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GLPI (versions affected by CVE-2022-35914)
No auth needed
Prerequisites: Access to the target GLPI instance · Network connectivity to the vulnerable endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 3 stars
by senderend · remote
https://github.com/senderend/CVE-2022-35914

This repository contains a functional exploit for CVE-2022-35914, a command injection vulnerability in GLPI via a third-party library script. The exploit sends crafted POST requests to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GLPI (versions affected by CVE-2022-35914)
No auth needed
Prerequisites: Access to the target URL · Presence of vulnerable htmLawedTest.php script
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by noxlumens · remote
https://github.com/noxlumens/CVE-2022-35914_poc

This repository contains a functional exploit for CVE-2022-35914, a command injection vulnerability in GLPI's htmLawedTest.php. The exploit leverages the `call_user_func`, `array_map`, and `passthru` functions to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GLPI (versions affected by CVE-2022-35914)
No auth needed
Prerequisites: Target must have the vulnerable htmLawedTest.php endpoint accessible · Network access to the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by 0xGabe · remote
https://github.com/0xGabe/CVE-2022-35914

The repository contains a functional exploit for CVE-2022-35914, demonstrating unauthenticated remote code execution (RCE) in GLPI 10.0.2 via a crafted HTTP request to the htmLawedTest.php endpoint. The exploit leverages the 'hhook' parameter to execute arbitrary commands (e.g., 'cat /etc/passwd') without authentication.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: GLPI 10.0.2
No auth needed
Prerequisites: Network access to the target GLPI instance · The vulnerable endpoint '/vendor/htmlawed/htmlawed/htmLawedTest.php' must be accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Lzer0Kx01 · remote
https://github.com/Lzer0Kx01/CVE-2022-35914

This repository contains a functional exploit for CVE-2022-35914, which targets a command injection vulnerability in the htmLawedTest.php file. The exploit sends a crafted POST request with a command payload and parses the response to confirm successful execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: htmLawed (specific version not specified)
No auth needed
Prerequisites: Target URL list in target.txt · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by 6E6L6F · remote
https://github.com/6E6L6F/CVE-2022-35914

This repository contains a functional exploit for CVE-2022-35914, a command injection vulnerability in GLPI via the htmLawedTest.php script. The exploit sends crafted HTTP requests to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GLPI (with htmLawed library)
No auth needed
Prerequisites: Target must have the vulnerable htmLawedTest.php script accessible · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Johnermac · remote
https://github.com/Johnermac/CVE-2022-35914

This repository contains a functional Ruby exploit for CVE-2022-35914, which targets an RCE vulnerability in GLPI. The exploit sends crafted POST requests to a vulnerable endpoint, allowing command execution via the 'hhook' parameter set to 'exec'.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: GLPI (version not specified)
No auth needed
Prerequisites: Network access to the vulnerable GLPI instance · Vulnerable endpoint exposed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/Orange-Cyberdefense/glpwnme

The repository contains a functional exploit tool for multiple GLPI vulnerabilities, including CVE-2022-35914. It includes Docker support, detailed usage instructions, and exploit implementations for various CVEs.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GLPI < 10.0.3
No auth needed
Prerequisites: Target running vulnerable GLPI version
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by cosad3s, bwatters-r7 · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb

This Metasploit module exploits an unauthenticated PHP command injection vulnerability in GLPI versions 10.0.2 and below via the htmLawed test page. It retrieves a token and session ID, then executes arbitrary commands through a POST request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: GLPI <= 10.0.2
No auth needed
Prerequisites: Network access to the GLPI instance · htmLawed test page accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

GLPI <=10.0.2 - Remote Command Execution
CRITICALVERIFIEDby For3stCo1d,allendemoura
Shodan: http.favicon.hash:"-1474875778" || http.title:"glpi"
FOFA: icon_hash="-1474875778" || title="glpi"

References (8)

Core 8
Core References
Release Notes, Third Party Advisory
https://github.com/glpi-project/glpi/releases

Scores

CVSS v3 9.8
EPSS 0.9439
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2023-03-07
VulnCheck KEV 2022-10-05
InTheWild.io 2022-10-03
ENISA EUVD EUVD-2022-38785
CWE
CWE-74
Status published
Products (1)
glpi-project/glpi < 10.0.2
Published Sep 19, 2022
KEV Added Mar 07, 2023
Tracked Since Feb 18, 2026