CVE-2024-25292

CRITICAL

martinbarker/rendertune 1.1.4 - Cross-Site Scripting via Upload Title Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-25292. PoCs published by EQSTLab.

AI-analyzed exploit summary This PoC demonstrates an XSS vulnerability in RenderTune v1.1.4 that can be escalated to RCE via NodeJS command execution through Electron's webview. The exploit leverages crafted payloads in the Upload Title parameter to execute arbitrary commands.

Description

Cross-site scripting (XSS) vulnerability in RenderTune v1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Upload Title parameter.

Exploits (1)

nomisec WORKING POC 2 stars

by EQSTLab · poc

https://github.com/EQSTLab/CVE-2024-25292

View Code ZIP pw:eip

This PoC demonstrates an XSS vulnerability in RenderTune v1.1.4 that can be escalated to RCE via NodeJS command execution through Electron's webview. The exploit leverages crafted payloads in the Upload Title parameter to execute arbitrary commands.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: RenderTune v1.1.4

No auth needed

Prerequisites: Access to the vulnerable application · Ability to inject malicious payloads into the Upload Title parameter

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://github.com/ji-zzang/EQST-PoC/tree/main/2024/RCE/CVE-2024-25292

Scores

CVSS v3 9.6

EPSS 0.0149

EPSS Percentile 70.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

martinbarker/rendertune 1.1.4

Published Feb 29, 2024

Tracked Since Feb 18, 2026