CVE-2023-26469

CRITICAL EXPLOITED IN THE WILD NUCLEI

Jorani 1.0.0 - Path Traversal and Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-26469 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 4 public exploits from researchers including d0rb, dyeat, Kairo-one, including a Metasploit module exploits/multi/php/jorani_path_trav. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional exploit script for CVE-2023-26469, which leverages a path traversal vulnerability in Jorani 1.0.0 to upload a malicious PHP shell for remote code execution. The PoC demonstrates the vulnerability by sending a crafted multipart/form-data request to upload a shell.

Description

In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.

Exploits (4)

nomisec WORKING POC 1 stars
by d0rb · remote
https://github.com/d0rb/CVE-2023-26469

The repository contains a functional exploit script for CVE-2023-26469, which leverages a path traversal vulnerability in Jorani 1.0.0 to upload a malicious PHP shell for remote code execution. The PoC demonstrates the vulnerability by sending a crafted multipart/form-data request to upload a shell.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Jorani 1.0.0
No auth needed
Prerequisites: Network access to the target server · Jorani 1.0.0 running on the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC
by dyeat · pythonpoc
https://github.com/dyeat/cve-reproduction/tree/main/Jorani/Jorani/CVE-2023-26469

This repository contains a functional exploit for CVE-2023-26469, a directory traversal vulnerability in Jorani that leads to remote code execution (RCE). The exploit poisons log files with a PHP payload and triggers execution via a crafted HTTP header.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Jorani < 1.0.2
No auth needed
Prerequisites: Access to the target URL · PHP execution context in log files
devstral-2 · analyzed May 22, 2026 Full analysis →
nomisec WORKING POC
by Kairo-one · remote
https://github.com/Kairo-one/CVE-2023-26469-Jorani

This repository contains a functional exploit for CVE-2023-26469, targeting Jorani 1.0.0. The exploit combines path traversal and log injection to achieve remote code execution by injecting malicious PHP code into log files and accessing them via traversal.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Jorani 1.0.0
No auth needed
Prerequisites: Target server running Jorani 1.0.0 · Network access to the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by RIOUX Guilhem (jrjgjk) · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/php/jorani_path_trav.rb

This Metasploit module exploits an unauthenticated RCE in Jorani < 1.0.2 by chaining log poisoning, header spoofing, and path traversal to execute arbitrary PHP code. It leverages a CSRF token bypass and log file inclusion to trigger the payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Jorani < 1.0.2
No auth needed
Prerequisites: Target must be running Jorani < 1.0.2 · PHP execution context · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Jorani 1.0.0 - Remote Code Execution
CRITICALVERIFIEDby pussycat0x
Shodan: http.favicon.hash:-2032163853
FOFA: icon_hash=-2032163853

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.9302
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2024-09-18
InTheWild.io 2024-09-18
CWE
CWE-22
Status published
Products (1)
jorani/jorani 1.0.0
Published Aug 17, 2023
Tracked Since Feb 18, 2026