CVE-2024-58313

HIGH

xbtitFM 4.1.18 - Authenticated Arbitrary PHP File Upload via File Hosting Feature

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-58313. PoCs published by h5kj23kj32io2kj.

AI-analyzed exploit summary The exploit demonstrates unauthenticated SQL injection and path traversal vulnerabilities in xbtitFM 4.1.18, along with an authenticated insecure file upload leading to RCE. It includes functional payloads and detailed steps for exploitation.

Description

xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. Attackers can bypass file type restrictions by modifying the Content-Type header to image/gif, adding GIF89a magic bytes, and using alternate PHP tags to upload web shells that execute system commands.

Exploits (1)

exploitdb WORKING POC

by h5kj23kj32io2kj · textwebappsphp

https://www.exploit-db.com/exploits/51909

View Code ZIP pw:eip

The exploit demonstrates unauthenticated SQL injection and path traversal vulnerabilities in xbtitFM 4.1.18, along with an authenticated insecure file upload leading to RCE. It includes functional payloads and detailed steps for exploitation.

Classification

Working Poc 95%

Attack Type

Sqli | Info Leak | Rce

Complexity

Trivial

Reliability

Reliable

Target: xbtitFM 4.1.18 and prior

No auth needed

Prerequisites: Network access to the target · For RCE: admin credentials or SQLi to enable file hosting

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry exploit

https://www.exploit-db.com/exploits/51909

Product product

https://xbtitfm.eu

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/xbtitfm-insecure-file-upload-in-filehosting-feature

Scores

CVSS v3 7.2

EPSS 0.0013

EPSS Percentile 31.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (2)

xbtitfm/xbtitfm 4.1.18

xbtitfm/xbtitFM 4.1.18

Published Dec 11, 2025

Tracked Since Feb 18, 2026