EIP-2026-104626

PRE-CVE

ClickHeat 1.13+ - Remote Command Execution

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-104626. PoCs published by Calum Hutton.

AI-analyzed exploit summary The writeup details an unauthenticated RCE vulnerability in Clickheat 1.13+ due to unsanitized input in the `parseClickLogs.pl` script, allowing command injection via pipe symbols in the `srcFile` parameter. The exploit leverages Perl's `open()` function to execute arbitrary commands when the script is accessed via a URL.

Description

ClickHeat 1.13+ - Remote Command Execution

Exploits (1)

exploitdb WRITEUP

by Calum Hutton · textwebappsperl

https://www.exploit-db.com/exploits/37115

View Code ZIP pw:eip

The writeup details an unauthenticated RCE vulnerability in Clickheat 1.13+ due to unsanitized input in the `parseClickLogs.pl` script, allowing command injection via pipe symbols in the `srcFile` parameter. The exploit leverages Perl's `open()` function to execute arbitrary commands when the script is accessed via a URL.

Classification

Writeup 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Clickheat 1.13+

No auth needed

Prerequisites: Apache with Perl CGI support · ExecCGI directive enabled · Publicly accessible `parseClickLogs.pl` script

MITRE ATT&CK

T1202 - Indirect Command Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026