CVE-2023-46404

CRITICAL

utoronto/pcrs <= 3.11 - Remote Code Execution via Python Sandbox Escape

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-46404. PoCs published by windecks.

AI-analyzed exploit summary The repository contains a functional PoC for CVE-2023-46404, demonstrating RCE in PCRS by escaping Python sandboxing via generator frames and unicode normalization. The exploit leverages stack frame traversal and module loading to execute arbitrary commands.

Description

PCRS <= 3.11 (d0de1e) “Questions” page and “Code editor” page are vulnerable to remote code execution (RCE) by escaping Python sandboxing.

Exploits (1)

nomisec WORKING POC 3 stars

by windecks · poc

https://github.com/windecks/CVE-2023-46404

View Code ZIP pw:eip

The repository contains a functional PoC for CVE-2023-46404, demonstrating RCE in PCRS by escaping Python sandboxing via generator frames and unicode normalization. The exploit leverages stack frame traversal and module loading to execute arbitrary commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PCRS <= 3.11 d0de1e

Auth required

Prerequisites: Authenticated access to PCRS · Python execution enabled in PCRS

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Patch

https://bitbucket.org/utmandrew/pcrs/commits/5f18bcbb383b7d73f7a8b399cc52b23597d752ae

View Patch ZIP pw:eip

Exploit, Mitigation, Patch, Third Party Advisory

https://github.com/windecks/CVE-2023-46404

Scores

CVSS v3 9.9

EPSS 0.0189

EPSS Percentile 76.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

utoronto/pcrs < 3.11

Published Nov 03, 2023

Tracked Since Feb 18, 2026