Description
Badaso version 2.6.0 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.
References (2)
Core 2
Core References
Exploit, Issue Tracking, Third Party Advisory
https://fluidattacks.com/advisories/harlow/
Issue Tracking, Third Party Advisory
https://github.com/uasoft-indonesia/badaso/issues/802
Scores
CVSS v3
9.8
EPSS
0.1000
EPSS Percentile
93.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (2)
badaso/core
0 - 2.6.1Packagist
uatech/badaso
2.6.0
Published
Oct 25, 2022
Tracked Since
Feb 18, 2026