CVE-2024-43404

CRITICAL

Megacord Megabot < 1.5.0 - Code Injection

Title source: rule

Description

MEGABOT is a fully customized Discord bot for learning and fun. The `/math` command and functionality of MEGABOT versions < 1.5.0 contains a remote code execution vulnerability due to a Python `eval()`. The vulnerability allows an attacker to inject Python code into the `expression` parameter when using `/math` in any Discord channel. This vulnerability impacts any discord guild utilizing MEGABOT. This vulnerability was fixed in release version 1.5.0.

References (5)

[Patch, Vendor Advisory] https://github.com/NicPWNs/MEGABOT/security/advisories/GHSA-vhxp-4hwq-w3p2

[Issue Tracking] https://github.com/NicPWNs/MEGABOT/issues/137

[Issue Tracking, Patch] https://github.com/NicPWNs/MEGABOT/pull/138

[Patch] https://github.com/NicPWNs/MEGABOT/commit/71e79e5581ea36313700385b112d863053fb7ed6

View Patch ZIP pw:eip

[Release Notes] https://github.com/NicPWNs/MEGABOT/releases/tag/v1.5.0

Scores

CVSS v3 9.8

EPSS 0.0434

EPSS Percentile 89.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-95 CWE-94

Status published

Products (1)

megacord/megabot < 1.5.0

Published Aug 20, 2024

Tracked Since Feb 18, 2026