CVE-2024-27292

HIGH EXPLOITED NUCLEI

Docassemble - Local File Inclusion

Title source: nuclei

Description

Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.

Exploits (2)

nomisec WORKING POC 7 stars

by th3gokul · infoleak

https://github.com/th3gokul/CVE-2024-27292

View Code ZIP pw:eip

nomisec WORKING POC 3 stars

by NingXin2002 · infoleak

https://github.com/NingXin2002/Docassemble_poc

View Code ZIP pw:eip

Nuclei Templates (1)

Docassemble - Local File Inclusion

HIGHVERIFIEDby johnk3r

Shodan: http.title:"docassemble"

FOFA: icon_hash="-575790689"

References (2)

[Patch] https://github.com/jhpyle/docassemble/commit/97f77dc486a26a22ba804765bfd7058aabd600c9

[Third Party Advisory] https://github.com/jhpyle/docassemble/security/advisories/GHSA-jq57-3w7p-vwvv

Scores

CVSS v3 7.5

EPSS 0.9383

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitation Intel

VulnCheck KEV 2025-06-07

Classification

CWE

CWE-706

Status published

Affected Products (3)

jhpyle/docassemble < 1.4.97

pypi/docassemble.webapp < 1.4.97PyPI

pypi/docassemble.base < 1.4.97PyPI

Timeline

Published Mar 21, 2024

Tracked Since Feb 18, 2026