CVE-2023-54339

CRITICAL

webgrind < 1.1 - Unauthenticated Remote Command Execution via dataFile Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-54339. PoCs published by Rafael Pedrero.

AI-analyzed exploit summary The exploit demonstrates a Remote Command Execution (RCE) and Reflected Cross-Site Scripting (XSS) vulnerability in Webgrind 1.1. The RCE is achieved by injecting OS commands via the 'dataFile' parameter, while the XSS is triggered through the 'file' parameter in the 'fileviewer' operation.

Description

Webgrind 1.1 contains a remote command execution vulnerability that allows unauthenticated attackers to inject OS commands via the dataFile parameter in index.php. Attackers can execute arbitrary system commands by manipulating the dataFile parameter, such as using payload '0%27%26calc.exe%26%27' to execute commands on the target system.

Exploits (1)

exploitdb WORKING POC
by Rafael Pedrero · textwebappsphp
https://www.exploit-db.com/exploits/51074

The exploit demonstrates a Remote Command Execution (RCE) and Reflected Cross-Site Scripting (XSS) vulnerability in Webgrind 1.1. The RCE is achieved by injecting OS commands via the 'dataFile' parameter, while the XSS is triggered through the 'file' parameter in the 'fileviewer' operation.

Classification
Working Poc 95%
Attack Type
Rce | Xss
Complexity
Trivial
Reliability
Reliable
Target: Webgrind <= 1.1
No auth needed
Prerequisites: Access to the target Webgrind instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0146
EPSS Percentile 70.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-78
Status published
Products (1)
webgrind_project/webgrind < 1.1
Published Jan 13, 2026
Tracked Since Feb 18, 2026