diff --git a/batch5/CVE-2026-1470.yaml b/batch5/CVE-2026-1470.yaml new file mode 100644 index 000000000000..679679e0180f --- /dev/null +++ b/batch5/CVE-2026-1470.yaml @@ -0,0 +1,149 @@ +id: CVE-2026-1470 + +info: + name: n8n - Authenticated Remote Code Execution via Expression Sandbox Bypass + author: eyangfeng88-arch + severity: critical + description: | + n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. + Authenticated users can bypass the Expression sandbox mechanism using JavaScript `with` statements to achieve + full remote code execution on n8n's main node. The vulnerability affects the Expression Node where user-supplied + expressions are evaluated without sufficient isolation from the underlying runtime. + + Attack vector: Authenticated user creates/modifies a workflow with malicious expression like: + {{ (function(){ var constructor = 123; with(function(){}){ return constructor("return process.mainModule.require('child_process').execSync('id').toString()")() } })() }} + + Affected versions: + - n8n < 1.123.17 + - n8n >= 2.0.0, < 2.4.5 + - n8n >= 2.5.0, < 2.5.1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2026-1470 + - https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04 + - https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H + cvss-score: 9.9 + cve-id: CVE-2026-1470 + cwe-id: CWE-95 + metadata: + vendor: n8n + product: n8n + shodan-query: http.title:"n8n" + affected_versions: + - n8n < 1.123.17 + - n8n >= 2.0.0, < 2.4.5 + - n8n >= 2.5.0, < 2.5.1 + patched_versions: + - n8n >= 1.123.17 + - n8n >= 2.4.5 + - n8n >= 2.5.1 + tags: cve,cve2026,n8n,rce,authenticated,eval-injection,workflow,sandbox-escape + +http: + # Step 1: Detect n8n instance + - method: GET + path: + - "{{BaseURL}}/" + + matchers-condition: and + matchers: + - type: word + words: + - "n8n" + - "workflow" + - "automation" + condition: or + + - type: status + status: + - 200 + - 302 + + extractors: + - type: regex + part: body + name: version + regex: + - "(?i)n8n[\\s\\-]*(?:version)?\\s*([0-9]+\\.[0-9]+\\.[0-9]+)" + group: 1 + internal: true + + # Step 2: Check health endpoint + - method: GET + path: + - "{{BaseURL}}/healthz" + + matchers-condition: and + matchers: + - type: word + words: + - "ok" + - "healthy" + condition: or + + - type: status + status: + - 200 + + # Step 3: Check REST API version endpoint (may require auth) + - method: GET + path: + - "{{BaseURL}}/rest/version" + + matchers-condition: and + matchers: + - type: word + words: + - "version" + + - type: status + status: + - 200 + - 401 + + extractors: + - type: json + part: body + name: api_version + json: + - ".version" + internal: true + + # Step 4: Check workflows endpoint (requires auth) + - method: GET + path: + - "{{BaseURL}}/rest/workflows" + + matchers: + - type: status + status: + - 200 + - 401 + - 403 + + # Step 5: Version-based vulnerability check + - method: GET + path: + - "{{BaseURL}}/rest/version" + + matchers-condition: and + matchers: + - type: word + words: + - "version" + + - type: status + status: + - 200 + + extractors: + - type: json + part: body + name: detected_version + json: + - ".version" + + - type: dsl + dsl: + - '"Detected n8n version: " + detected_version' diff --git a/batch5/CVE-2026-34040.yaml b/batch5/CVE-2026-34040.yaml new file mode 100644 index 000000000000..ee14133e02d2 --- /dev/null +++ b/batch5/CVE-2026-34040.yaml @@ -0,0 +1,55 @@ +id: CVE-2026-34040 + +info: + name: Docker Engine (Moby) - Authorization Plugin Bypass + author: eyangfeng88-arch + severity: high + description: | + A security vulnerability has been detected in Moby (Docker Engine) that allows attackers to bypass authorization plugins (AuthZ). + Prior to version 29.3.1, an attacker could make the Docker daemon forward a request to an authorization plugin without the body, + potentially allowing a request that would have otherwise been denied. This is an incomplete fix for CVE-2024-41110. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2026-34040 + - https://github.com/moby/moby/security/advisories/GHSA-x744-4wpc-v9h2 + - https://github.com/moby/moby/releases/tag/docker-v29.3.1 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2026-34040 + cwe-id: CWE-288 + metadata: + vendor: docker + product: moby + affected_versions: + - Moby (Docker Engine) < 29.3.1 + patched_versions: + - Moby (Docker Engine) >= 29.3.1 + tags: cve,cve2026,docker,moby,authz,bypass,container + +http: + - method: GET + path: + - "{{BaseURL}}/version" + + matchers-condition: and + matchers: + - type: word + words: + - "Docker" + - "ApiVersion" + condition: or + + - type: status + status: + - 200 + + extractors: + - type: json + part: body + name: version + json: + - ".Version" + + - type: dsl + dsl: + - 'compare_versions(version, "<29.3.1")' diff --git a/batch5/CVE-2026-34793.yaml b/batch5/CVE-2026-34793.yaml new file mode 100644 index 000000000000..2cd37fe34e46 --- /dev/null +++ b/batch5/CVE-2026-34793.yaml @@ -0,0 +1,66 @@ +id: CVE-2026-34793 + +info: + name: Endian Firewall - Authenticated OS Command Injection + author: eyangfeng88-arch + severity: high + description: | + Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands + via the DATE parameter to /cgi-bin/logs_firewall.cgi. The DATE parameter value is used to construct + a file path that is passed to a Perl open() call, which allows command injection due to incomplete + regular expression validation. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2026-34793 + - https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-logs-firewall-cgi-date-perl-command-injection + classification: + cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N + cvss-score: 8.7 + cve-id: CVE-2026-34793 + cwe-id: CWE-78 + metadata: + vendor: endian + product: firewall + shodan-query: http.title:"Endian Firewall" + affected_versions: + - Endian Firewall <= 3.3.25 + patched_versions: + - Endian Firewall > 3.3.25 + tags: cve,cve2026,endian,firewall,rce,authenticated,command-injection,cgi + +http: + - method: GET + path: + - "{{BaseURL}}/" + + matchers-condition: and + matchers: + - type: word + words: + - "Endian Firewall" + - "Endian" + condition: or + + - type: status + status: + - 200 + - 302 + + extractors: + - type: regex + part: body + name: version + regex: + - "(?i)Endian\\s*(?:Firewall)?\\s*(?:version)?\\s*([0-9]+\\.[0-9]+\\.[0-9]+)" + group: 1 + + - method: GET + path: + - "{{BaseURL}}/cgi-bin/logs_firewall.cgi" + + matchers: + - type: status + status: + - 200 + - 401 + - 403 + - 302 diff --git a/batch5/CVE-2026-4681.yaml b/batch5/CVE-2026-4681.yaml new file mode 100644 index 000000000000..e20d76d67155 --- /dev/null +++ b/batch5/CVE-2026-4681.yaml @@ -0,0 +1,127 @@ +id: CVE-2026-4681 + +info: + name: PTC Windchill & FlexPLM - Remote Code Execution via Deserialization + author: eyangfeng88-arch + severity: critical + description: | + A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. + The vulnerability may be exploited through the deserialization of untrusted data via the Publish servlet. + This issue affects Windchill PDMLink versions 11.0 M030 through 13.1.3.0 and FlexPLM versions 11.0 M030 through 13.0.3.0. + + IMPORTANT: This template detects the presence of the vulnerable Publish servlet endpoint. + Manual verification is required to confirm the exact Windchill/FlexPLM version is within affected range. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2026-4681 + - https://github.com/advisories/GHSA-jfrx-fmg3-3p8m + - https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cve-id: CVE-2026-4681 + cwe-id: CWE-94 + metadata: + vendor: ptc + product: windchill + affected_versions: + - Windchill PDMLink 11.0 M030 + - Windchill PDMLink 11.1 M020 + - Windchill PDMLink 11.2.1.0 + - Windchill PDMLink 12.0.2.0 + - Windchill PDMLink 12.1.2.0 + - Windchill PDMLink 13.0.2.0 + - Windchill PDMLink 13.1.0.0 + - Windchill PDMLink 13.1.1.0 + - Windchill PDMLink 13.1.2.0 + - Windchill PDMLink 13.1.3.0 + - FlexPLM 11.0 M030 through 13.0.3.0 + patched_versions: [] + tags: cve,cve2026,ptc,windchill,flexplm,rce,deserialization,kev,intrusive + +http: + # Step 1: Detect Windchill instance via homepage + - method: GET + path: + - "{{BaseURL}}/" + + matchers-condition: and + matchers: + - type: word + words: + - "Windchill" + - "PTC" + condition: or + + - type: status + status: + - 200 + - 302 + + extractors: + - type: regex + part: body + name: product_detect + regex: + - "(?i)(Windchill|FlexPLM)" + internal: true + + # Step 2: Check vulnerable Publish servlet endpoint (primary attack vector) + - method: GET + path: + - "{{BaseURL}}/servlet/WindchillGW/com.ptc.wvs.server.publish.Publish" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Windchill" + - "PTC" + - "publish" + - "Publish" + condition: or + + - type: status + status: + - 200 + - 403 + - 401 + - 500 + + extractors: + - type: kval + part: header + kval: + - "Server" + + - type: dsl + dsl: + - '"VULNERABLE: Publish servlet endpoint exposed - Manual version verification required (affected: Windchill 11.0 M030 - 13.1.3.0, FlexPLM 11.0 M030 - 13.0.3.0)"' + + # Step 3: Check alternate Publish servlet path + - method: GET + path: + - "{{BaseURL}}/servlet/WindchillAuthGW/com.ptc.wvs.server.publish.Publish" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Windchill" + - "PTC" + - "publish" + - "Publish" + condition: or + + - type: status + status: + - 200 + - 403 + - 401 + - 500 + + extractors: + - type: dsl + dsl: + - '"VULNERABLE: AuthGW Publish servlet endpoint exposed - Manual version verification required"' diff --git a/batch5/CVE-2026-6204.yaml b/batch5/CVE-2026-6204.yaml new file mode 100644 index 000000000000..3913536e71b2 --- /dev/null +++ b/batch5/CVE-2026-6204.yaml @@ -0,0 +1,111 @@ +id: CVE-2026-6204 + +info: + name: LibreNMS - Authenticated Remote Code Execution via Binary Path Manipulation + author: eyangfeng88-arch + severity: high + description: | + LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability. + An administrator can modify the binary path settings for network diagnostic tools at /settings/external/binaries + and bypass input validation to execute arbitrary commands via the /ajax/netcmd endpoint. + The vulnerability exploits the `ip_or_hostname` validator which allows `/` character, enabling URL or file path injection. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2026-6204 + - https://github.com/librenms/librenms/security/advisories/GHSA-pr3g-phhr-h8fh + - https://projectblack.io/blog/librenms-authenticated-rce-and-xss/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2026-6204 + cwe-id: CWE-78 + metadata: + vendor: librenms + product: librenms + shodan-query: title:"LibreNMS" + affected_versions: + - LibreNMS < 26.3.0 + patched_versions: + - LibreNMS >= 26.3.0 + tags: cve,cve2026,librenms,rce,authenticated,command-injection,intrusive + +http: + # Step 1: Detect LibreNMS instance and extract version + - method: GET + path: + - "{{BaseURL}}/" + + matchers-condition: and + matchers: + - type: word + words: + - "LibreNMS" + - "librenms" + condition: or + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + name: version + regex: + - "(?i)LibreNMS\\s*(?:version)?\\s*([0-9]+\\.[0-9]+\\.[0-9]+)" + group: 1 + internal: true + + # Step 2: Check vulnerable endpoint - /ajax/netcmd (requires auth) + - method: GET + path: + - "{{BaseURL}}/ajax/netcmd" + + matchers: + - type: status + status: + - 401 + - 403 + - 302 + + # Step 3: Check binary settings page (requires admin auth) + - method: GET + path: + - "{{BaseURL}}/settings/external/binaries" + + matchers: + - type: status + status: + - 200 + - 302 + - 401 + - 403 + + # Step 4: Version-based detection from about page + - method: GET + path: + - "{{BaseURL}}/about/" + + matchers-condition: and + matchers: + - type: word + words: + - "LibreNMS" + - "Version" + condition: and + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + name: detected_version + regex: + - "(?i)Version[:\\s]+([0-9]+\\.[0-9]+\\.[0-9]+)" + group: 1 + + - type: dsl + dsl: + - '"Vulnerable version: " + detected_version + " (fixed in 26.3.0)"' + condition: and