CVE-2024-58309

CRITICAL

xbtitFM 4.1.18 - Unauthenticated SQL Injection via msgid Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-58309. PoCs published by h5kj23kj32io2kj.

AI-analyzed exploit summary The exploit demonstrates unauthenticated SQL injection and path traversal vulnerabilities in xbtitFM 4.1.18, along with an authenticated insecure file upload leading to RCE. It includes functional payloads and detailed steps for exploitation.

Description

xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. Attackers can send crafted requests to /shoutedit.php with EXTRACTVALUE functions to extract database names, user credentials, and password hashes from the underlying database.

Exploits (1)

exploitdb WORKING POC

by h5kj23kj32io2kj · textwebappsphp

https://www.exploit-db.com/exploits/51909

View Code ZIP pw:eip

The exploit demonstrates unauthenticated SQL injection and path traversal vulnerabilities in xbtitFM 4.1.18, along with an authenticated insecure file upload leading to RCE. It includes functional payloads and detailed steps for exploitation.

Classification

Working Poc 95%

Attack Type

Sqli | Info Leak | Rce

Complexity

Trivial

Reliability

Reliable

Target: xbtitFM 4.1.18 and prior

No auth needed

Prerequisites: Network access to the target · For RCE: admin credentials or SQLi to enable file hosting

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry exploit

https://www.exploit-db.com/exploits/51909

Product product

https://xbtitfm.eu

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/xbtitfm-unauthenticated-sql-injection-in-shouteditphp

Scores

CVSS v3 9.8

EPSS 0.0032

EPSS Percentile 55.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (2)

xbtitfm/xbtitfm 4.1.18

xbtitfm/xbtitFM 4.1.18

Published Dec 11, 2025

Tracked Since Feb 18, 2026