CVE-2023-53888

HIGH

Zomplog 3.9 - RCE

Title source: llm

Description

Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Attackers can upload malicious JavaScript files, rename them to PHP, and execute system commands by exploiting the saveE and rename actions in the application.

Exploits (1)

exploitdb WORKING POC

by Mirabbas Ağalarov · pythonwebappsphp

https://www.exploit-db.com/exploits/51624

View Code ZIP pw:eip

References (3)

[Product] https://web.archive.org/web/20080616153330/http://zomp.nl/zomplog/

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/51624

[Third Party Advisory, Exploit] https://www.vulncheck.com/advisories/zomplog-remote-code-execution-via-authenticated-file-manipulation

Scores

CVSS v3 8.8

EPSS 0.0090

EPSS Percentile 75.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

zomp/zomplog 3.9

Zomplog/Zomplog 3.9

Published Dec 15, 2025

Tracked Since Feb 18, 2026