CVE-2024-5736

HIGH

AdmirorFrames < 5.0 - Server-Side Request Forgery via afGdStream.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-5736. PoCs published by afine-com.

AI-analyzed exploit summary The repository provides a detailed writeup for CVE-2024-5736, an SSRF vulnerability in the AdmirorFrames Joomla! Extension. The issue arises from improper handling of the `$_GET['src_file']` parameter in `afGdStream.php`, allowing arbitrary file reads via the `imagecreatefrompng` function.

Description

Server Side Request Forgery (SSRF) vulnerability in AdmirorFrames Joomla! extension in afGdStream.php script allows to access local files or server pages available only from localhost. This issue affects AdmirorFrames: before 5.0.

Exploits (1)

nomisec WRITEUP
by afine-com · poc
https://github.com/afine-com/CVE-2024-5736

The repository provides a detailed writeup for CVE-2024-5736, an SSRF vulnerability in the AdmirorFrames Joomla! Extension. The issue arises from improper handling of the `$_GET['src_file']` parameter in `afGdStream.php`, allowing arbitrary file reads via the `imagecreatefrompng` function.

Classification
Writeup 100%
Attack Type
Ssrf
Complexity
Trivial
Reliability
Reliable
Target: AdmirorFrames Joomla! Extension < 5.0
No auth needed
Prerequisites: Access to the vulnerable endpoint with the `src_file` parameter
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory third-party-advisory
https://cert.pl/en/posts/2024/06/CVE-2024-5735/
Third Party Advisory third-party-advisory
https://cert.pl/posts/2024/06/CVE-2024-5735/
Exploit, Third Party Advisory technical-description
https://github.com/afine-com/CVE-2024-5736

Scores

CVSS v3 7.5
EPSS 0.0123
EPSS Percentile 64.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-918
Status published
Products (1)
admiror-design-studio/admirorframes < 5.0
Published Jun 28, 2024
Tracked Since Feb 18, 2026