CVE-2023-31873

HIGH

Gin Markdown Editor 0.7.4 - Code Execution via Crafted File

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-31873. PoCs published by 8bitsec.

AI-analyzed exploit summary This exploit leverages an XSS vulnerability in Gin Markdown Editor v0.7.4 to achieve arbitrary code execution by embedding malicious JavaScript in a markdown file. The payload uses the `onerror` event handler to execute system commands via Node.js's `child_process` module.

Description

Gin 0.7.4 allows execution of arbitrary code when a crafted file is opened, e.g., via require('child_process').

Exploits (1)

exploitdb WORKING POC

by 8bitsec · textlocalmultiple

https://www.exploit-db.com/exploits/51469

View Code ZIP pw:eip

This exploit leverages an XSS vulnerability in Gin Markdown Editor v0.7.4 to achieve arbitrary code execution by embedding malicious JavaScript in a markdown file. The payload uses the `onerror` event handler to execute system commands via Node.js's `child_process` module.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Gin Markdown Editor v0.7.4

No auth needed

Prerequisites: A markdown file with the malicious payload · Victim to open the file in Gin Markdown Editor

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/172530/Gin-Markdown-Editor-0.7.4-Arbitrary-Code-Execution.html

Scores

CVSS v3 7.8

EPSS 0.0135

EPSS Percentile 67.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

Status published

Products (1)

gin_project/gin 0.7.4

Published May 28, 2023

Tracked Since Feb 18, 2026