CVE-2023-53895

CRITICAL

PimpMyLog 1.7.14 - XSS

Title source: llm

Description

PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, and potentially access sensitive server-side log information and environmental variables.

Exploits (1)

exploitdb WORKING POC

by thoughtfault · pythonwebappsphp

https://www.exploit-db.com/exploits/51593

View Code ZIP pw:eip

References (4)

[Product] https://github.com/potsky/PimpMyLog

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/51593

[Product] https://www.pimpmylog.com/

[Third Party Advisory] https://www.vulncheck.com/advisories/pimpmylog-improper-access-control-via-account-creation-endpoint

Scores

CVSS v3 9.8

EPSS 0.0074

EPSS Percentile 73.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-285

Status published

Products (2)

Pimpmylog/PimpMyLog 1.7.14

potsky/pimp_my_log 1.7.14

Published Dec 16, 2025

Tracked Since Feb 18, 2026