CVE-2024-29272

MEDIUM NUCLEI

VvvebJs < 1.7.5 - Arbitrary File Upload

Title source: nuclei
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-29272. PoCs published by awjkjflkwlekfdjs. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a functional PoC for CVE-2024-29272, an unauthenticated arbitrary file upload vulnerability in VvvebJS < 1.7.5. It uploads a PHP reverse shell via a POST request to `/save.php` and triggers execution by accessing the uploaded file.

Description

Arbitrary File Upload vulnerability in VvvebJs before version 1.7.5, allows unauthenticated remote attackers to execute arbitrary code and obtain sensitive information via the sanitizeFileName parameter in save.php.

Exploits (1)

nomisec WORKING POC
by awjkjflkwlekfdjs · poc
https://github.com/awjkjflkwlekfdjs/CVE-2024-29272

This is a functional PoC for CVE-2024-29272, an unauthenticated arbitrary file upload vulnerability in VvvebJS < 1.7.5. It uploads a PHP reverse shell via a POST request to `/save.php` and triggers execution by accessing the uploaded file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: VvvebJS < 1.7.5
No auth needed
Prerequisites: Network access to the target · Attacker-controlled listener for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

VvvebJs < 1.7.5 - Arbitrary File Upload
MEDIUMVERIFIEDby s4e-io
FOFA: icon_hash="524332373"

References (2)

Core 2

Scores

CVSS v3 6.5
EPSS 0.9110
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-434
Status published
Products (2)
npm/vvvebJs 0 - 1.7.5npm
vvveb/vvvebjs < 1.7.5
Published Mar 22, 2024
Tracked Since Feb 18, 2026