CVE-2024-35539

MEDIUM

Typecho 1.3.0 - Race Condition in Post Commenting Function

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-35539. PoCs published by cyberaz0r.

AI-analyzed exploit summary This exploit targets a race condition in Typecho 1.3.0 by spamming comment requests to trigger the vulnerability. It calculates a form token via JavaScript execution and uses concurrent HTTP requests to flood the target.

Description

Typecho v1.3.0 was discovered to contain a race condition vulnerability in the post commenting function. This vulnerability allows attackers to post several comments before the spam protection checks if the comments are posted too frequently.

Exploits (2)

exploitdb WORKING POC

by cyberaz0r · gowebappsphp

https://www.exploit-db.com/exploits/52161

View Code ZIP pw:eip

This exploit targets a race condition in Typecho 1.3.0 by spamming comment requests to trigger the vulnerability. It calculates a form token via JavaScript execution and uses concurrent HTTP requests to flood the target.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Racy

Target: Typecho 1.3.0

No auth needed

Prerequisites: Target URL with Typecho 1.3.0 installation

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC 1 stars

by cyberaz0r · gopoc

https://github.com/cyberaz0r/Typecho-Multiple-Vulnerabilities

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2024-35539, a race condition vulnerability in Typecho <= 1.3.0. The exploit demonstrates the vulnerability by spamming comments to trigger the race condition, leveraging JavaScript token calculation and concurrent HTTP requests.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Racy

Target: Typecho <= 1.3.0

No auth needed

Prerequisites: Access to a Typecho instance with comments enabled

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://cyberaz0r.info/2024/08/typecho-multiple-vulnerabilities/

Product

https://typecho.org

Scores

CVSS v3 6.5

EPSS 0.0339

EPSS Percentile 87.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-290

Status published

Products (1)

typecho/typecho 1.3.0

Published Aug 19, 2024

Tracked Since Feb 18, 2026