CVE-2024-58312

HIGH

xbtitFM 4.1.18 - Unauthenticated Path Traversal via URL Parameter Manipulation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-58312. PoCs published by h5kj23kj32io2kj.

AI-analyzed exploit summary The exploit demonstrates unauthenticated SQL injection and path traversal vulnerabilities in xbtitFM 4.1.18, along with an authenticated insecure file upload leading to RCE. It includes functional payloads and detailed steps for exploitation.

Description

xbtitFM 4.1.18 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can exploit directory traversal techniques to read critical system files like using encoded path traversal characters in HTTP requests.

Exploits (1)

exploitdb WORKING POC
by h5kj23kj32io2kj · textwebappsphp
https://www.exploit-db.com/exploits/51909

The exploit demonstrates unauthenticated SQL injection and path traversal vulnerabilities in xbtitFM 4.1.18, along with an authenticated insecure file upload leading to RCE. It includes functional payloads and detailed steps for exploitation.

Classification
Working Poc 95%
Attack Type
Sqli | Info Leak | Rce
Complexity
Trivial
Reliability
Reliable
Target: xbtitFM 4.1.18 and prior
No auth needed
Prerequisites: Network access to the target · For RCE: admin credentials or SQLi to enable file hosting
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry exploit
https://www.exploit-db.com/exploits/51909
Product product
https://xbtitfm.eu

Scores

CVSS v3 7.5
EPSS 0.0567
EPSS Percentile 90.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-22
Status published
Products (2)
xbtitfm/xbtitfm 4.1.18
xbtitfm/xbtitFM 4.1.18
Published Dec 11, 2025
Tracked Since Feb 18, 2026