CVE-2023-33404

CRITICAL

BlogEngine.NET < 3.3.8.0 - Remote Code Execution via Insufficient Upload Validation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-33404. PoCs published by hacip.

AI-analyzed exploit summary This repository documents CVE-2023-33404, an arbitrary file upload vulnerability in BlogEngine.NET CMS (version 3.3.8.0 and earlier) that allows users with EditOwnPosts rights to upload malicious files to a hard-coded location, leading to RCE.

Description

An Unrestricted Upload vulnerability, due to insufficient validation on UploadControlled.cs file, in BlogEngine.Net version 3.3.8.0 and earlier allows remote attackers to execute remote code.

Exploits (1)

nomisec WRITEUP

by hacip · poc

https://github.com/hacip/CVE-2023-33404

View Code ZIP pw:eip

This repository documents CVE-2023-33404, an arbitrary file upload vulnerability in BlogEngine.NET CMS (version 3.3.8.0 and earlier) that allows users with EditOwnPosts rights to upload malicious files to a hard-coded location, leading to RCE.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: BlogEngine.NET CMS <= 3.3.8.0

Auth required

Prerequisites: User with EditOwnPosts rights · Access to /api/upload endpoint

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1204 - User Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://github.com/hacip/CVE-2023-33404

Scores

CVSS v3 9.8

EPSS 0.2235

EPSS Percentile 97.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

blogengine/blogengine.net < 3.3.8.0

Published Jun 26, 2023

Tracked Since Feb 18, 2026