CVE-2024-40318

HIGH

Webkul Qloapps <1.6.0.0 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-40318. PoCs published by 3v1lC0d3.

AI-analyzed exploit summary The repository describes a remote code execution (RCE) vulnerability in QloApps 1.6.0.0, where an attacker can upload a modified module to bypass PHP file upload restrictions and execute arbitrary code via a crafted 'cronjob.php' file. The writeup lacks technical depth but provides a high-level overview of the exploit mechanism.

Description

An arbitrary file upload vulnerability in Webkul Qloapps v1.6.0.0 allows attackers to execute arbitrary code via uploading a crafted file.

Exploits (1)

nomisec WRITEUP

by 3v1lC0d3 · poc

https://github.com/3v1lC0d3/RCE-QloApps-CVE-2024-40318

View Code ZIP pw:eip

The repository describes a remote code execution (RCE) vulnerability in QloApps 1.6.0.0, where an attacker can upload a modified module to bypass PHP file upload restrictions and execute arbitrary code via a crafted 'cronjob.php' file. The writeup lacks technical depth but provides a high-level overview of the exploit mechanism.

Classification

Writeup 70%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: QloApps 1.6.0.0

Auth required

Prerequisites: Access to the administrator panel · Ability to upload modified modules

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://github.com/3v1lC0d3/RCE-QloApps/blob/main/qloapps--RCE.pdf

View Exploit ZIP pw:eip

Scores

CVSS v3 7.2

EPSS 0.0118

EPSS Percentile 63.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

webkul/qloapps 1.6.0

Published Jul 25, 2024

Tracked Since Feb 18, 2026