CVE-2022-41705

CRITICAL

Badaso <2.6.3 - RCE

Title source: llm

Description

Badaso version 2.6.3 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://fluidattacks.com/advisories/headhunterz/

Product

https://github.com/uasoft-indonesia/badaso/

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0595

EPSS Percentile 90.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (2)

badaso/core 0 - 2.7.0Packagist

uatech/badaso 2.6.3

Published Nov 25, 2022

Tracked Since Feb 18, 2026