CVE-2023-54339

CRITICAL

Webgrind < 1.1 - OS Command Injection

Title source: rule

Description

Webgrind 1.1 contains a remote command execution vulnerability that allows unauthenticated attackers to inject OS commands via the dataFile parameter in index.php. Attackers can execute arbitrary system commands by manipulating the dataFile parameter, such as using payload '0%27%26calc.exe%26%27' to execute commands on the target system.

Exploits (1)

exploitdb WORKING POC

by Rafael Pedrero · textwebappsphp

https://www.exploit-db.com/exploits/51074

View Code ZIP pw:eip

References (3)

[Product] http://github.com/jokkedk/webgrind/

[Exploit] https://www.exploit-db.com/exploits/51074

[Third Party Advisory] https://www.vulncheck.com/advisories/webgrind-remote-command-execution-rce-via-datafile-parameter

Scores

CVSS v3 9.8

EPSS 0.0073

EPSS Percentile 72.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

webgrind_project/webgrind < 1.1

Published Jan 13, 2026

Tracked Since Feb 18, 2026