{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/joro--v1.1.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Joro (≤ v1.1.0)"],"_cs_severities":["critical"],"_cs_tags":["rce","web-exploitation","vulnerability","javascript","cross-origin","cors"],"_cs_type":"advisory","_cs_vendors":["BishopFox"],"content_html":"\u003cp\u003eA critical vulnerability (CVE-2026-53649) affects BishopFox Joro versions ≤ v1.1.0 when running in its default proxy mode. An attacker can achieve unauthenticated remote code execution (RCE) on an operator's workstation (Linux/macOS) by leveraging a combination of weaknesses. Joro exposes a local API on \u003ccode\u003e127.0.0.1:9090\u003c/code\u003e which lacks authentication and applies a wildcard CORS policy. This design flaw allows cross-origin JavaScript on any attacker-controlled webpage to POST \u003ccode\u003emultipart/form-data\u003c/code\u003e requests directly to privileged API endpoints, such as \u003ccode\u003e/api/v1/plugins/upload\u003c/code\u003e and \u003ccode\u003e/api/v1/system/restart\u003c/code\u003e, through the victim's browser. Since Joro plugins execute their \u003ccode\u003einit()\u003c/code\u003e functions upon loading, this mechanism allows for an unauthenticated RCE as the operator's user with a single page visit. The vulnerability was reported on 2026-05-27 and an advisory published on 2026-07-08.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe operator visits an attacker-controlled web page in their browser (e.g., Firefox).\u003c/li\u003e\n\u003cli\u003eJavaScript embedded in the attacker's page fetches a malicious shared object (\u003ccode\u003epwn.so\u003c/code\u003e) from the attacker's server.\u003c/li\u003e\n\u003cli\u003eThe JavaScript then POSTs the \u003ccode\u003epwn.so\u003c/code\u003e file to the local Joro API endpoint \u003ccode\u003ehttp://127.0.0.1:9090/api/v1/plugins/upload\u003c/code\u003e as \u003ccode\u003emultipart/form-data\u003c/code\u003e. Joro accepts this request due to the lack of authentication and permissive CORS policy.\u003c/li\u003e\n\u003cli\u003eImmediately following, the JavaScript POSTs a request to \u003ccode\u003ehttp://127.0.0.1:9090/api/v1/system/restart\u003c/code\u003e, instructing Joro to re-execute.\u003c/li\u003e\n\u003cli\u003eUpon restart, Joro attempts to open the newly uploaded \u003ccode\u003epwn.so\u003c/code\u003e plugin. During the \u003ccode\u003eplugin.Open()\u003c/code\u003e call, the plugin's \u003ccode\u003einit()\u003c/code\u003e function is executed before any symbol lookup.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003einit()\u003c/code\u003e function initiates a connection back to the attacker's listener, granting the attacker an interactive \u003ccode\u003e/bin/bash -i\u003c/code\u003e shell as the operator's user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability leads to unauthenticated, remote, browser-mediated code execution as the operator's user on affected Linux and macOS systems. The exploit pivots through the victim's browser to the loopback-bound Joro API, effectively bypassing network isolation typically assumed for \u003ccode\u003e127.0.0.1\u003c/code\u003e services. A single malicious \u003ccode\u003e.so\u003c/code\u003e plugin can be crafted to work against all operators running the affected Joro release, enabling widespread compromise of Joro users. The impact is direct system compromise and full control over the operator's user context.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade BishopFox Joro to a version greater than v1.1.0 immediately to patch CVE-2026-53649. Specifically, ensure the fixes introduced in commits \u003ccode\u003e5c0ca35\u003c/code\u003e and \u003ccode\u003e871936f\u003c/code\u003e are applied.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect attempts at exploiting this vulnerability.\u003c/li\u003e\n\u003cli\u003eEnsure that web server logs (or application-level logs for Joro's API) are configured to capture requests to \u003ccode\u003e127.0.0.1:9090\u003c/code\u003e, including \u003ccode\u003ecs-method\u003c/code\u003e and \u003ccode\u003ecs-uri-stem\u003c/code\u003e fields, to enable detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T20:36:09Z","date_published":"2026-07-08T20:36:09Z","id":"https://feed.craftedsignal.io/briefs/2026-07-joro-rce/","summary":"Joro's default proxy mode (versions ≤ v1.1.0) is vulnerable to unauthenticated remote code execution (CVE-2026-53649) via a local API on `127.0.0.1:9090` that allows cross-origin JavaScript to upload a malicious native plugin and trigger a system restart, leading to RCE as the operator's user from a single page visit.","title":"Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-joro-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Joro (≤ V1.1.0)","version":"https://jsonfeed.org/version/1.1"}