EIP-2026-104008

PRE-CVE

NodeJS Debugger - Command Injection (Metasploit)

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-104008. PoCs published by Metasploit.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in NodeJS's V8 debugger protocol by sending a crafted 'evaluate' request to execute arbitrary JavaScript code, potentially leading to remote command execution. The exploit targets the debugger port (default 5858) and leverages the 'evaluate' command to inject payloads.

Description

NodeJS Debugger - Command Injection (Metasploit)

Exploits (1)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/42793

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in NodeJS's V8 debugger protocol by sending a crafted 'evaluate' request to execute arbitrary JavaScript code, potentially leading to remote command execution. The exploit targets the debugger port (default 5858) and leverages the 'evaluate' command to inject payloads.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: NodeJS with V8 debugger enabled (Protocol-Version: 1)

No auth needed

Prerequisites: NodeJS debugger port (5858) exposed and accessible · V8 debugger protocol version 1 enabled

MITRE ATT&CK

T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026