Create CVE-2026-38526.yaml

[pussycat0x]

PR Information

• Fixed CVE-2020-XXX / Added CVE-2020-XXX / Updated CVE-2020-XXX
• References:

Template validation

• Validated with a host running a vulnerable version and/or configuration (True Positive)
• Validated with a host running a patched version and/or configuration (avoid False Positive)

PoC Screenshots

nuclei -u http://02z6xz2lda8qnk7vnrfh7vxv6ajc9ixd.tryneoai.com/ -t poc1.yaml -var username=admin@example.com -var password=admin123

Step 1:

Step 2:

Step 3:

Step 4:

Step 5:

Additional Details (leave it blank if not applicable)

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[neo-by-projectdiscovery-dev]

Neo - Nuclei Template Review

High: 1

Current PR state: 1 high active finding.

Highlights

• High: Verification logic mismatch will cause false negatives in http/cves/2026/CVE-2026-38526.yaml:121

High (1)

• Verification logic mismatch will cause false negatives — http/cves/2026/CVE-2026-38526.yaml:121
  The template uploads a PHP file that outputs md5("{{randstr}}") (line 96), but the verification matcher checks if the response body contains the plaintext {{randstr}} (line 121). This is a logic mismatch: the PHP code will output a 32-character hexadecimal MD5 hash, not the original random string. As a result, the matcher will never succeed, even when targeting a vulnerable system.

Security Impact

Verification logic mismatch will cause false negatives (http/cves/2026/CVE-2026-38526.yaml:121):
The template will produce false negatives, failing to detect vulnerable Krayin CRM instances. Security teams relying on this template will miss exploitable systems, leaving them exposed to RCE attacks. The template has been marked as 'verified: true' but cannot actually verify the vulnerability due to this logic error.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@http/cves/2026/CVE-2026-38526.yaml` at line 121, the matcher checks for
plaintext `{{randstr}}` in the response body, but the uploaded PHP code at line
96 outputs `md5("{{randstr}}")`. Change the matcher from `contains(body,
"{{randstr}}")` to `contains(body, md5("{{randstr}}"))` to correctly verify that
the uploaded PHP file executed and returned the expected MD5 hash.

Hardening Notes

• Consider adding a second verification step that checks for the exact MD5 hash value in addition to the Nuclei DSL matcher, to catch edge cases where the response might be modified
• Add a comment in the template explaining the verification logic (why MD5 is used) to help future maintainers understand the intent

_{Comment @pdneo help for available commands. · Open in Neo}

[neo-by-projectdiscovery-dev]

🟠 Verification logic mismatch will cause false negatives — The template uploads a PHP file that outputs md5("{{randstr}}") (line 96), but the verification matcher checks if the response body contains the plaintext {{randstr}} (line 121). This is a logic mismatch: the PHP code will output a 32-character hexadecimal MD5 hash, not the original random string. As a result, the matcher will never succeed, even when targeting a vulnerable system.

Suggested change

	- contains(body, "{{randstr}}")
	- contains(body, "{{randstr}}")
	+ contains(body, md5("{{randstr}}"))

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@http/cves/2026/CVE-2026-38526.yaml` at line 121, the matcher checks for
plaintext `{{randstr}}` in the response body, but the uploaded PHP code at line
96 outputs `md5("{{randstr}}")`. Change the matcher from `contains(body,
"{{randstr}}")` to `contains(body, md5("{{randstr}}"))` to correctly verify that
the uploaded PHP file executed and returned the expected MD5 hash.