CVE-2023-41646

MEDIUM

Buttercup v2.20.3 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-41646. PoCs published by tristao-io.

AI-analyzed exploit summary The repository demonstrates an information leakage vulnerability in Buttercup v2.20.3, where the master password hash can be obtained by accessing the file `/vaults.json`. The PoC provides a clear example of how to exploit this issue.

Description

Buttercup v2.20.3 allows attackers to obtain the hash of the master password for the password manager via accessing the file /vaults.json/

Exploits (2)

nomisec WORKING POC

by tristao-io · poc

https://github.com/tristao-io/CVE-2023-41646

View Code ZIP pw:eip

The repository demonstrates an information leakage vulnerability in Buttercup v2.20.3, where the master password hash can be obtained by accessing the file `/vaults.json`. The PoC provides a clear example of how to exploit this issue.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Buttercup v2.20.3

No auth needed

Prerequisites: Access to the local file system where Buttercup is installed

MITRE ATT&CK

T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 18, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/tristao-marinho/cve-2023-41646

View Code ZIP pw:eip

This PoC demonstrates an information leakage vulnerability in Buttercup v2.20.3, where the master password hash can be obtained by accessing the file `/vaults.json`. The exploit is trivial and involves reading a local file.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Buttercup v2.20.3

No auth needed

Prerequisites: local file system access

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2

Core References

Product

https://buttercup.pw/

Exploit, Third Party Advisory

https://github.com/tristao-marinho/CVE-2023-41646/

Scores

CVSS v3 5.3

EPSS 0.0007

EPSS Percentile 20.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-916

Status published

Products (2)

npm/buttercup 2.20.3 - 7.4.0npm

perrymitchell/buttercup 2.20.3

Published Sep 07, 2023

Tracked Since Feb 18, 2026