CVE-2024-36858

CRITICAL EXPLOITED NUCLEI

Jan 0.4.12 - Arbitrary File Upload via writeFileSync

Title source: manual

Exploitation Summary

CVE-2024-36858 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

An arbitrary file upload vulnerability in the /v1/app/writeFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file.

Nuclei Templates (1)

Jan v0.4.12 - Arbitrary File Upload

CRITICALby pussycat0x

FOFA: icon_hash="-165268926"

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://github.com/HackAllSec/CVEs/tree/main/Jan%20Arbitrary%20File%20Upload%20vulnerability

View Exploit ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0306

EPSS Percentile 85.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2024-08-15

CWE

CWE-434

Status published

Products (2)

homebrew/jan 0.4.12

janhq/core 0npm

Published Jun 04, 2024

Tracked Since Feb 18, 2026