Php — CraftedSignal Threat Feed

Composer Command Injection via Malicious Perforce Repository

hello@craftedsignal.io — Wed, 15 Apr 2026 12:00:00 +0000

Composer, a dependency manager for PHP, is susceptible to a command injection vulnerability (CVE-2026-40176) in versions 2.0.0 before 2.2.27 and versions 2.3.0 before 2.9.6. The vulnerability resides in the Perforce::generateP4Command() method, which improperly escapes user-supplied Perforce connection parameters (port, user, client) when constructing shell commands. This allows an attacker who controls a repository configuration, specifically within a malicious composer.json file declaring a Perforce VCS repository, to inject arbitrary commands. The injected commands are executed in the context of the user running Composer, even if Perforce is not installed. This vulnerability can be exploited if Composer is run on untrusted projects with attacker-supplied composer.json files.

Attack Chain

An attacker crafts a malicious composer.json file.
The malicious composer.json declares a Perforce VCS repository.
The composer.json contains injected commands within the Perforce connection parameters (port, user, client).
A user unknowingly executes a Composer command (e.g., composer install) in a directory containing the malicious composer.json.
Composer parses the composer.json and calls the Perforce::generateP4Command() method.
The Perforce::generateP4Command() method constructs a shell command using the attacker-controlled, unescaped Perforce connection parameters.
Composer executes the injected command via proc_open or similar functions.
The attacker achieves arbitrary command execution in the context of the user running Composer, potentially leading to sensitive information disclosure, system compromise, or further malicious activities.

Impact

Successful exploitation of this vulnerability allows attackers to execute arbitrary commands on the victim’s system with the privileges of the user running Composer. This can lead to complete system compromise, data exfiltration, or denial of service. While the number of victims is currently unknown, any system running a vulnerable version of Composer and processing untrusted composer.json files is at risk. The primary attack vector involves tricking developers into running Composer on projects containing malicious composer.json files.

Recommendation

Upgrade Composer to version 2.2.27 or 2.9.6 or later to patch CVE-2026-40176.
Carefully inspect composer.json files from untrusted sources before running Composer to verify Perforce-related fields contain valid values.
Deploy the Sigma rule to detect command execution with suspicious arguments when composer executes and tune for your environment.

PHPGurukul Daily Expense Tracking System SQL Injection Vulnerability

hello@craftedsignal.io — Tue, 14 Apr 2026 12:00:00 +0000

A critical security flaw has been identified in PHPGurukul Daily Expense Tracking System version 1.1. This vulnerability resides in the /register.php file and is triggered by manipulating the email argument. Successful exploitation enables remote SQL injection, potentially granting attackers unauthorized access to sensitive database information or allowing them to modify data. This vulnerability, identified as CVE-2026-6193, has a CVSS v3.1 score of 7.3, indicating a high level of severity. The existence of a publicly available exploit increases the risk of widespread exploitation. Organizations using this software should take immediate action to mitigate the risk.

Attack Chain

An attacker identifies a vulnerable instance of PHPGurukul Daily Expense Tracking System 1.1.
The attacker crafts a malicious HTTP request targeting the /register.php endpoint.
Within the request, the attacker injects SQL code into the email parameter.
The application fails to properly sanitize the input, passing the malicious SQL query to the database.
The database executes the injected SQL code, potentially allowing the attacker to read, modify, or delete data.
The attacker may leverage the initial SQL injection to escalate privileges within the database.
The attacker could potentially gain access to administrative credentials stored in the database.
Finally, the attacker uses the compromised credentials to gain full control over the application.

Impact

Successful exploitation of this SQL injection vulnerability could lead to severe consequences. Attackers could gain unauthorized access to sensitive user data, including usernames, passwords, and financial information. This could result in identity theft, financial fraud, and reputational damage for both the organization and its users. The attacker could also modify or delete data, disrupt the application’s functionality, or even gain complete control of the server. Given the availability of a public exploit, the likelihood of attacks is significantly increased.

Recommendation

Apply any available patches or updates provided by PHPGurukul to address CVE-2026-6193.
Deploy the Sigma rule “Detect Suspicious SQL Injection Attempts in PHPGurukul Registration” to identify exploitation attempts targeting the /register.php endpoint.
Implement input validation and sanitization measures on the email parameter in /register.php to prevent SQL injection.
Monitor web server logs for suspicious activity, such as unusual characters or SQL syntax in the email parameter, which could indicate an attempted SQL injection (webserver log source).
Implement a Web Application Firewall (WAF) rule to block requests containing SQL injection payloads targeting /register.php.

Smart Post Show WordPress Plugin PHP Object Injection Vulnerability

hello@craftedsignal.io — Tue, 14 Apr 2026 06:17:10 +0000

The Smart Post Show WordPress plugin, specifically the Post Grid, Post Carousel & Slider, and List Category Posts components, contains a PHP Object Injection vulnerability. This flaw affects all versions up to and including 3.0.12. The vulnerability resides in the import_shortcodes() function, where the deserialization of untrusted input occurs. This vulnerability requires an authenticated attacker with administrative privileges or higher. Successful exploitation requires the presence of a suitable Property-Oriented Programming (POP) chain within another installed plugin or theme. Without a POP chain, the injected object has no immediate impact. However, with a POP chain, attackers can potentially delete arbitrary files, retrieve sensitive data, or execute arbitrary code on the server.

Attack Chain

An attacker gains administrative-level access to the WordPress dashboard, either through credential compromise or vulnerability exploitation.
The attacker navigates to the Smart Post Show plugin settings page within the WordPress admin panel.
The attacker crafts a malicious payload containing a serialized PHP object designed to trigger a POP chain.
The attacker injects the malicious payload into the import_shortcodes() function, likely through a form field or file upload.
The import_shortcodes() function deserializes the attacker-controlled input, creating the malicious PHP object.
If a suitable POP chain exists within other installed plugins or themes, the deserialization triggers the chain.
The POP chain executes a series of predefined actions based on the objects and methods involved.
The final objective is achieved, such as deleting arbitrary files, retrieving sensitive data, or executing arbitrary code on the server.

Impact

The PHP Object Injection vulnerability in the Smart Post Show WordPress plugin allows attackers to potentially gain remote code execution on the affected server. The impact is contingent on the existence of a POP chain within other installed plugins or themes. If successful, an attacker could potentially compromise the entire web server, leading to data breaches, defacement, or complete system takeover. Given the widespread use of WordPress and this plugin, a successful exploit could affect numerous websites across various sectors.

Recommendation

Upgrade the Smart Post Show plugin to a version greater than 3.0.12 to patch CVE-2026-3017.
Deploy the Sigma rule “Detect WordPress Plugin Deserialization Attempt” to monitor for suspicious deserialization activity on WordPress servers.
Audit all installed WordPress plugins and themes for potential POP chains that could be exploited in conjunction with this vulnerability.

Case Theme User WordPress Plugin Local File Inclusion Vulnerability (CVE-2025-5804)

hello@craftedsignal.io — Sat, 11 Apr 2026 12:00:00 +0000

A local file inclusion (LFI) vulnerability, identified as CVE-2025-5804, affects the Case Theme User WordPress plugin before version 1.0.4. The vulnerability stems from insufficient validation of filenames passed to PHP’s include or require statements. This allows an unauthenticated attacker to potentially include arbitrary local files on the server hosting the WordPress instance. Successful exploitation could lead to sensitive information disclosure, arbitrary code execution, or denial of service. The vulnerability was reported and patched by Patchstack. Users of the Case Theme User plugin are advised to upgrade to version 1.0.4 or later to mitigate this risk.

Attack Chain

An attacker identifies a vulnerable Case Theme User plugin running on a WordPress site.
The attacker crafts a malicious HTTP request targeting a PHP file within the plugin that uses an include or require statement.
The attacker modifies a GET or POST parameter associated with the vulnerable include or require statement, injecting a path to a local file (e.g., /etc/passwd).
The web server processes the request, and the PHP interpreter attempts to include the file specified in the attacker-controlled parameter.
Due to the LFI vulnerability, the server includes the attacker-specified local file.
If the included file contains sensitive data, such as configuration files or credentials, the attacker can extract this information from the server’s response.
In more advanced scenarios, the attacker might attempt to include PHP files containing malicious code, achieving remote code execution on the server.

Impact

Successful exploitation of CVE-2025-5804 can lead to a range of impacts, including sensitive information disclosure such as WordPress configuration files (wp-config.php), which contain database credentials. Arbitrary code execution is possible if the attacker can include a file containing malicious PHP code. This could allow the attacker to gain complete control of the WordPress site and the underlying server. The number of affected sites depends on the adoption rate of the vulnerable Case Theme User plugin, but given the widespread use of WordPress, the potential impact could be significant.

Recommendation

Immediately update the Case Theme User WordPress plugin to version 1.0.4 or later to patch CVE-2025-5804.
Deploy the Sigma rule Detect Case Theme User LFI Attempt to your SIEM to identify potential exploitation attempts based on suspicious file paths in HTTP requests.
Monitor web server logs for unusual file access patterns, particularly requests containing “..”, “%2e%2e”, or other directory traversal sequences, to catch LFI attempts (see log source webserver).

PHPGurukul News Portal Project SQL Injection Vulnerability (CVE-2026-5837)

hello@craftedsignal.io — Thu, 09 Apr 2026 04:17:23 +0000

CVE-2026-5837 describes a SQL injection vulnerability affecting PHPGurukul News Portal Project version 4.1. The vulnerability resides in the /news-details.php file and is triggered by manipulating the Comment argument. Successful exploitation allows remote attackers to inject arbitrary SQL commands into the application’s database queries. The vulnerability has a CVSS v3.1 score of 7.3, indicating a high severity. Publicly available exploits exist, increasing the risk of active exploitation. Organizations using PHPGurukul News Portal Project 4.1 are urged to investigate and mitigate this vulnerability immediately. The lack of specific patching information emphasizes the importance of proactive detection and prevention measures.

Attack Chain

An attacker identifies a vulnerable PHPGurukul News Portal Project 4.1 instance accessible over the internet.
The attacker crafts a malicious HTTP request targeting the /news-details.php endpoint.
Within the request, the Comment parameter is manipulated to inject SQL code. For example, the attacker might inject a payload such as ' OR '1'='1 to bypass authentication or extract data.
The vulnerable application processes the crafted request without proper sanitization of the Comment parameter.
The injected SQL code is embedded within a database query executed by the application.
The database server executes the attacker-controlled SQL query, potentially allowing the attacker to read, modify, or delete data.
The application returns the results of the injected SQL query to the attacker, potentially revealing sensitive information or confirming successful code execution.
The attacker leverages the SQL injection vulnerability to potentially gain unauthorized access to sensitive data, modify website content, or even gain control of the underlying server.

Impact

Successful exploitation of CVE-2026-5837 can lead to unauthorized access to sensitive information stored in the PHPGurukul News Portal Project’s database. An attacker could potentially steal user credentials, financial data, or other confidential information. The attacker could also modify website content, inject malicious code, or even gain control of the underlying server. Given the public availability of exploits, vulnerable instances are at immediate risk of compromise.

Recommendation

Deploy the Sigma rule Detecting SQL Injection in PHPGurukul News Portal to identify attempts to exploit CVE-2026-5837 by monitoring for suspicious characters in the cs-uri-query field of web server logs.
Apply web application firewall (WAF) rules to block requests containing common SQL injection payloads.
Review and harden the /news-details.php page to properly sanitize the Comment input field.
Monitor web server logs for unusual activity, especially related to the /news-details.php endpoint, and correlate with other security events.

Everest Forms WordPress Plugin PHP Object Injection Vulnerability

hello@craftedsignal.io — Wed, 08 Apr 2026 02:16:04 +0000

The Everest Forms plugin for WordPress, a widely used form builder, contains a critical PHP Object Injection vulnerability (CVE-2026-3296) affecting versions up to and including 3.4.3. This vulnerability stems from the insecure deserialization of user-supplied data within the html-admin-page-entries-view.php file. Specifically, the plugin uses PHP’s unserialize() function on form entry metadata stored in the wp_evf_entrymeta table without specifying allowed classes, creating an exploitable condition. An unauthenticated attacker can inject malicious serialized PHP objects through any public form field. The sanitize_text_field() function fails to prevent these attacks because it doesn’t strip serialization control characters. This allows attackers to execute arbitrary PHP code on the WordPress server when an administrator views form entries. This vulnerability poses a significant risk to WordPress sites using the Everest Forms plugin.

Attack Chain

An unauthenticated attacker submits a malicious serialized PHP object through a public Everest Forms form field.
The submitted payload bypasses the sanitize_text_field() function due to the function’s failure to remove serialization control characters.
The crafted serialized object is stored in the wp_evf_entrymeta database table associated with the form entry.
An administrator accesses the WordPress administration panel and navigates to the Everest Forms entries section.
The html-admin-page-entries-view.php file is executed to display form entries and their associated metadata.
The plugin retrieves the stored serialized object from the wp_evf_entrymeta table.
The unserialize() function is called on the retrieved data without the allowed_classes parameter, triggering PHP Object Injection.
The injected PHP object is instantiated, leading to arbitrary PHP code execution on the server, potentially granting the attacker complete control over the WordPress site.

Impact

Successful exploitation of this vulnerability (CVE-2026-3296) can lead to complete compromise of the WordPress website. An attacker can gain remote code execution, allowing them to inject malware, deface the site, steal sensitive data (including user credentials and financial information), or use the compromised server as part of a botnet. Given the widespread use of the Everest Forms plugin, a large number of WordPress sites are potentially vulnerable. The CVSS v3.1 base score of 9.8 reflects the critical severity of this vulnerability.

Recommendation

Immediately update the Everest Forms plugin to the latest version (greater than 3.4.3) to patch CVE-2026-3296.
Deploy the Sigma rule Detect Suspicious unserialize Call in Everest Forms to identify potential exploitation attempts in web server logs.
Monitor web server logs for suspicious POST requests to WordPress form submission endpoints containing serialized PHP objects, as detected by the Detect Suspicious Form Submission with Serialized Data Sigma rule.
Implement a Web Application Firewall (WAF) rule to block requests containing serialized PHP objects in form submission data.

Genealogy PHP Application Broken Access Control Vulnerability (CVE-2026-39355)

hello@craftedsignal.io — Tue, 07 Apr 2026 19:16:46 +0000

Genealogy is a family tree PHP application that, prior to version 5.9.1, contained a critical broken access control vulnerability identified as CVE-2026-39355. This flaw allows any authenticated user to transfer ownership of non-personal teams to themselves without proper authorization checks. This unauthorized ownership transfer leads to complete takeover of other users’ team workspaces, granting the attacker unrestricted access to all genealogy data associated with the compromised team. This vulnerability poses a significant risk to data confidentiality and integrity within organizations using affected versions of the Genealogy application. Version 5.9.1 addresses and resolves this vulnerability.

Attack Chain

An attacker authenticates to the Genealogy application with valid user credentials.
The attacker identifies a target “team” within the application that is not their own.
The attacker crafts a malicious HTTP request to the application’s team ownership transfer functionality, specifying the target team and the attacker’s user ID as the new owner.
Due to the broken access control vulnerability (CVE-2026-39355), the application fails to validate the attacker’s authorization to perform the ownership transfer.
The application incorrectly updates the team’s ownership data, assigning ownership to the attacker.
The attacker now possesses full administrative control over the compromised team’s workspace and data.
The attacker accesses and exfiltrates sensitive genealogy data, including family trees, personal information, and other confidential records.

Impact

Successful exploitation of CVE-2026-39355 allows an attacker to gain complete control over targeted teams within the Genealogy application. This leads to unauthorized access to sensitive genealogy data, potentially impacting all users and families represented within the compromised teams. The impact includes data exfiltration, modification, or deletion, potentially causing significant reputational damage and legal liabilities. While the exact number of affected installations is unknown, all organizations running versions prior to 5.9.1 are vulnerable.

Recommendation

Immediately upgrade the Genealogy application to version 5.9.1 or later to patch CVE-2026-39355.
Monitor web server logs for suspicious POST requests to team management endpoints, specifically those related to team ownership transfer. Use the provided Sigma rule Detect Suspicious Genealogy Team Ownership Transfer to detect unauthorized attempts.
Implement strict access control policies within the Genealogy application, ensuring that users can only access and modify data related to teams they are authorized to manage.
Enable detailed logging for all user authentication and authorization events within the Genealogy application to facilitate incident investigation.

Brave CMS Unrestricted File Upload Leads to Remote Code Execution

hello@craftedsignal.io — Mon, 06 Apr 2026 18:16:42 +0000

Brave CMS, an open-source content management system, is vulnerable to an unrestricted file upload vulnerability (CVE-2026-35164) in versions prior to 2.0.6. The vulnerability resides within the CKEditor upload functionality, specifically in the ckupload method located in app/Http/Controllers/Dashboard/CkEditorController.php. The application fails to properly validate the types of uploaded files, relying solely on user-provided input. This lack of validation enables an authenticated user to upload malicious PHP scripts, leading to arbitrary code execution on the server. The vulnerability was reported on April 6, 2026, and is fixed in Brave CMS version 2.0.6. Organizations using affected versions of Brave CMS are at risk of complete system compromise.

Attack Chain

Attacker authenticates to the Brave CMS application as a user with upload privileges.
The attacker navigates to a page or functionality within the CMS that utilizes the CKEditor for content creation or editing.
The attacker uses the CKEditor’s upload functionality to upload a malicious PHP script disguised as a legitimate file type (e.g., image).
The ckupload method in app/Http/Controllers/Dashboard/CkEditorController.php processes the uploaded file without proper validation of the file type or content.
The malicious PHP script is stored on the server in a publicly accessible directory.
The attacker crafts a request to directly access the uploaded PHP script via its URL.
The web server executes the PHP script, granting the attacker the ability to run arbitrary commands on the server.
The attacker establishes persistence, installs a web shell, and performs lateral movement within the network, escalating privileges as needed to achieve their objectives.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary PHP code on the affected Brave CMS server. This can lead to complete compromise of the CMS instance, including unauthorized access to sensitive data, modification of website content, and potential lateral movement to other systems on the network. The CVSS v3.1 base score for this vulnerability is 8.8, indicating a high severity level. Organizations running vulnerable versions of Brave CMS are at risk of data breaches, website defacement, and further exploitation of their infrastructure.

Recommendation

Upgrade Brave CMS to version 2.0.6 or later to remediate the unrestricted file upload vulnerability (CVE-2026-35164).
Implement server-side file validation to prevent the upload of malicious files, regardless of file extension.
Monitor web server logs for suspicious activity related to file uploads and execution of PHP scripts.
Deploy the following Sigma rule to detect attempts to access potentially malicious PHP files in the web server’s upload directories.

Auth0-PHP SDK Cookie Forging Vulnerability (CVE-2026-34236)

hello@craftedsignal.io — Wed, 01 Apr 2026 18:16:30 +0000

The Auth0-PHP SDK, a PHP library for Auth0 Authentication and Management APIs, contains a vulnerability (CVE-2026-34236) affecting versions 8.0.0 to before 8.19.0. The insufficient entropy used in cookie encryption within these versions creates a significant security risk. Attackers could potentially exploit this vulnerability by brute-forcing the encryption key used to protect session cookies. Successful exploitation would allow an attacker to forge session cookies, gaining unauthorized access to applications using the vulnerable SDK. The vulnerability was patched in version 8.19.0. Applications using Auth0-PHP within the specified range are vulnerable.

Attack Chain

Attacker identifies an application using a vulnerable version of the Auth0-PHP SDK (8.0.0 < v < 8.19.0).
The application sets a session cookie encrypted using the SDK’s insufficient entropy encryption.
Attacker intercepts a legitimate user’s session cookie (e.g., via network sniffing or cross-site scripting).
Attacker attempts to brute-force the encryption key used to encrypt the session cookie, leveraging the weakness in the encryption algorithm.
Upon successful brute-forcing, the attacker decrypts the intercepted session cookie and extracts the session identifier.
The attacker constructs a new, forged cookie with the decrypted session identifier.
The attacker injects the forged cookie into their own browser session.
The attacker accesses the application, impersonating the legitimate user and gaining unauthorized access to their account and data.

Impact

Successful exploitation of CVE-2026-34236 allows attackers to forge session cookies, leading to account takeover. The impact is significant, potentially affecting all applications using the vulnerable Auth0-PHP SDK versions 8.0.0 to before 8.19.0. The severity is elevated due to the potential for complete account compromise without requiring user interaction beyond the initial cookie interception. Organizations could face data breaches, financial loss, and reputational damage.

Recommendation

Upgrade Auth0-PHP SDK to version 8.19.0 or later to remediate CVE-2026-34236.
Implement web application firewall (WAF) rules to detect and block suspicious cookie manipulation attempts.
Monitor web server logs for unusual patterns indicative of brute-force attacks against cookie encryption (related to webserver log source).

Protobuf PHP Library Denial of Service Vulnerability

hello@craftedsignal.io — Wed, 25 Mar 2026 21:04:21 +0000

A high-severity denial-of-service (DoS) vulnerability has been identified in the Protobuf PHP library, affecting versions prior to 4.33.6. The vulnerability stems from the improper handling of maliciously structured Protocol Buffer messages. Specifically, messages containing negative varints or exhibiting deep recursion can trigger excessive resource consumption during parsing. This can lead to application crashes, thereby disrupting service availability. Patches addressing this vulnerability have been released in versions 5.34.0-RC1 and 4.33.6 of the Protobuf library. Defenders should prioritize updating vulnerable systems to these patched versions to mitigate potential exploitation.

Attack Chain

An attacker crafts a malicious Protocol Buffer message.
The message contains either negative varints or exploits deep recursion.
The attacker sends the malicious message to a PHP application using the vulnerable Protobuf library.
The PHP application attempts to parse the malicious message using the affected Protobuf library.
During parsing, the negative varints or deep recursion trigger excessive resource consumption, such as CPU or memory.
The application becomes unresponsive due to resource exhaustion.
The application crashes, leading to a denial of service.

Impact

Successful exploitation of this vulnerability results in a denial-of-service condition, rendering affected applications unavailable. This can impact any service relying on the Protobuf PHP library to process untrusted data, such as APIs, message queues, or data storage systems. The number of affected services depends on the prevalence of the vulnerable Protobuf library within an organization’s infrastructure. This issue can lead to significant disruption and potential data loss or corruption if applications crash while processing critical data.

Recommendation

Upgrade the composer/google/protobuf package to version 4.33.6 or later to remediate the vulnerability.
Monitor web server logs for anomalous request patterns indicative of exploitation attempts targeting Protobuf message processing (webserver log source).
Implement rate limiting and input validation on services that process Protocol Buffer messages to mitigate the impact of malicious inputs (webserver log source).

PhreeBooks ERP 5.2.3 Remote Code Execution Vulnerability

hello@craftedsignal.io — Tue, 24 Mar 2026 12:16:07 +0000

PhreeBooks ERP version 5.2.3 is susceptible to a remote code execution (RCE) vulnerability (CVE-2019-25647) within its image manager component. This flaw enables authenticated attackers to bypass file extension restrictions and upload malicious PHP files. Successful exploitation allows attackers to execute arbitrary code on the underlying server, potentially leading to complete system compromise. The vulnerability exists because the image manager lacks adequate validation of uploaded file types, permitting the upload of PHP files disguised with allowed extensions or lacking extensions altogether. This can lead to reverse shell creation.

Attack Chain

An attacker authenticates to the PhreeBooks ERP 5.2.3 application.
The attacker accesses the image manager functionality.
The attacker crafts a malicious PHP file designed to execute system commands or establish a reverse shell.
The attacker uploads the malicious PHP file through the image manager, bypassing file extension validation. This may involve renaming the file with a permitted extension or omitting the extension entirely.
The attacker identifies the upload location of the malicious PHP file.
The attacker sends an HTTP request to the uploaded PHP file’s location on the server.
The web server executes the PHP code, triggering the attacker’s malicious payload (e.g., reverse shell).
The attacker gains remote access to the server and can execute arbitrary system commands.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the targeted server. This can lead to complete system compromise, including data theft, modification, or destruction. Given that PhreeBooks ERP is used to manage business operations, a successful attack could result in significant financial losses, disruption of services, and reputational damage. There is no specific information about victim count or sectors targeted available from the source.

Recommendation

Apply any available patches or updates for PhreeBooks ERP to address CVE-2019-25647.
Implement the Sigma rule “Detect Suspicious PHP Upload via Image Manager” to detect attempts to upload malicious PHP files through the image manager.
Monitor web server logs for requests to unusual file paths containing PHP code, as this could indicate exploitation attempts.
Restrict access to the image manager functionality to only authorized users.

PhpSpreadsheet SSRF and RCE Vulnerability via IOFactory::load

hello@craftedsignal.io — Tue, 30 Jan 2024 12:00:00 +0000

PhpSpreadsheet, a widely used PHP library for reading and writing spreadsheet files, is susceptible to a critical vulnerability that can lead to both Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE). The vulnerability stems from insufficient validation of the $filename parameter passed to the IOFactory::load function. When this parameter is user-controlled, attackers can leverage PHP wrappers such as ftp://, phar://, and ssh2.sftp:// to bypass the is_file check, leading to malicious file inclusion or arbitrary code execution. This flaw affects versions up to and including 1.30.2, as well as versions 2.0.0 through 5.5.0. Exploitation can occur even if the specified file inside the phar archive does not exist or is not a supported file type, potentially masking the attack. Due to PhpSpreadsheet’s widespread use in other popular libraries like maatwebsite/excel and sonata-project/exporter, the impact of this vulnerability is significant.

Attack Chain

An attacker crafts a malicious phar archive (exploit.xlsx) containing a PHP object with a __destruct method that executes arbitrary code via shell_exec.
The attacker hosts the malicious phar archive on a web server or makes it accessible through other means.
The attacker crafts a request to a vulnerable web application using PhpSpreadsheet, providing a phar:// URL (e.g., phar://exploit.xlsx/whatever) as the $filename parameter to IOFactory::load.
IOFactory::load attempts to load the file specified in the $filename parameter, which passes through the vulnerable is_file check.
The phar:// wrapper triggers PHP’s phar extension, which deserializes the metadata within the exploit.xlsx archive.
Deserialization of the malicious PHP object triggers the __destruct method, executing the attacker’s arbitrary code via shell_exec, achieving RCE. The code creates /tmp/poc.txt in the example.
Alternatively, the attacker provides an ftp:// URL to IOFactory::load, pointing to an attacker-controlled FTP server.
The vulnerable is_file check allows the ftp:// connection, leading to an SSRF vulnerability where the server running PhpSpreadsheet connects to the attacker’s specified FTP server.

Impact

Successful exploitation of this vulnerability can lead to a range of severe consequences. Remote Code Execution (RCE) allows an attacker to execute arbitrary commands on the server, potentially leading to complete system compromise. The SSRF vulnerability enables an attacker to probe internal network resources, potentially exposing sensitive information or allowing further attacks on internal systems. Given PhpSpreadsheet’s use in numerous web applications and frameworks, a successful attack could impact a large number of users and organizations. Example impact includes attackers gaining initial access to internal applications.

Recommendation

Apply the suggested mitigations by either checking for PHP wrappers in the filename before calling is_file or by using realpath to ensure a clean absolute path (see code snippets in the advisory).
Deploy the Sigma rule Detect_PhpSpreadsheet_Phar_Wrapper to detect attempts to exploit the RCE vulnerability by monitoring process creation events with command lines containing “phar://” and php.
Deploy the Sigma rule Detect_PhpSpreadsheet_Ftp_Wrapper to detect attempts to exploit the SSRF vulnerability by monitoring network connections with destination ports on FTP protocol (21) and file paths contain ftp.
Monitor web server logs for requests containing the phar:// or ftp:// schemes in the filename parameter to IOFactory::load.

CI4MS Authenticated Remote Code Execution via Theme Upload

hello@craftedsignal.io — Tue, 30 Jan 2024 12:00:00 +0000

CI4MS versions 0.26.0.0 through 0.31.6.0 are vulnerable to authenticated remote code execution. The vulnerability lies in the theme upload feature, where any authenticated backend user with theme-upload permissions can upload a crafted ZIP file. PHP files included in the uploaded ZIP are installed into a web-accessible directory without extension or content filtering. This allows attackers to execute arbitrary PHP code on the server by directly accessing the uploaded files via HTTP requests. The vulnerability was reported on April 29, 2026 and can lead to full server compromise if exploited.

Attack Chain

An attacker gains valid credentials for a backend user account with theme upload permissions.
The attacker crafts a malicious ZIP archive containing a PHP file (e.g., shell.php) with code to execute system commands via a GET parameter.
The attacker uploads the malicious ZIP file (e.g., evil_theme.zip) through the /backend/themes/upload endpoint using a POST request with multipart/form-data.
The application extracts the ZIP archive to a temporary directory.
The application copies the PHP file from the temporary directory to the public/templates/evil/ directory using the rename() function, with no file type validation or content inspection.
The attacker crafts an HTTP GET request targeting the uploaded PHP file (e.g., /templates/evil/shell.php?c=id).
The web server executes the PHP code, running the system command specified in the ‘c’ parameter.
The output of the executed command is returned in the HTTP response, granting the attacker remote code execution.

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server under the context of the web server user. This can be leveraged to achieve OS-level command execution, potentially leading to data exfiltration, lateral movement, persistence, or full server compromise. Any deployment where a backend user has been granted theme upload permission is vulnerable. While a superadmin already has full privileges, this vulnerability allows lower-privileged roles to escalate their access.

Recommendation

Apply the necessary patch or upgrade to a version of CI4MS beyond 0.31.6.0 to remediate CVE-2026-41587.
Monitor web server logs for suspicious HTTP requests targeting newly created directories under /templates/ with PHP file extensions to detect potential exploitation attempts. Create a rule to detect this.
Implement stricter file upload validation, including file extension allowlists, MIME type checking, and content inspection, to prevent the upload of malicious PHP files.

PhpSpreadsheet CPU Denial of Service via Unbounded Row Number

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

A vulnerability exists in PhpSpreadsheet versions 1.x through 5.6.0 where the XLSX reader does not properly validate row numbers read from XML attributes within a spreadsheet file. Specifically, the ColumnAndRowAttributes::readRowAttributes() method lacks a check against the maximum allowed row number (AddressRange::MAX_ROW = 1,048,576). An attacker can exploit this by crafting a minimal XLSX file (approximately 1.6KB) containing a element. When processed, this inflates the cachedHighestRow property, causing subsequent row iteration operations to attempt nearly one billion loop cycles, thereby exhausting CPU resources and leading to a denial-of-service condition. This vulnerability can be exploited in web applications that accept user-uploaded spreadsheet files, making it a significant risk for systems using vulnerable versions of PhpSpreadsheet. The vulnerability was reported in GHSA-7c6m-4442-2x6m.

Attack Chain

An attacker crafts a malicious XLSX file containing an XML element with a large r attribute (e.g., ).
The attacker uploads the malicious XLSX file to a web application or system that uses PhpSpreadsheet to process spreadsheet files.
The PhpSpreadsheet library, specifically the IOFactory::createReader('Xlsx') component, is used to read the uploaded file.
During the parsing process, the ColumnAndRowAttributes::readRowAttributes() method reads the large row number from the XML attribute.
The large row number is then used to update the cachedHighestRow property in the Worksheet object, effectively setting it to a very high value.
A subsequent operation that iterates over rows using getRowIterator() or retrieves the highest row using getHighestRow() triggers a loop that iterates up to the inflated cachedHighestRow value.
The excessive number of loop iterations consumes a significant amount of CPU resources, leading to a denial-of-service condition.
The application becomes unresponsive or crashes due to the CPU exhaustion.

Impact

Successful exploitation of this vulnerability leads to a CPU denial of service. A small, 1.6KB crafted XLSX file can trigger almost one billion iterations, causing the system to become unresponsive for an extended period (estimated at ~144 seconds per file). This impacts any application using getRowIterator() or getHighestRow() methods, making the system unavailable. Applications processing the spreadsheet may also exhaust memory if they attempt to accumulate data during the iteration process. The high amplification factor (small input leading to massive CPU consumption) makes this vulnerability particularly dangerous, especially in web applications that process user-supplied spreadsheets.

Recommendation

Apply the recommended fix by adding row bounds validation in readRowAttributes() to check if $rowIndex is within the acceptable range (1 to AddressRange::MAX_ROW). This is the primary recommendation from the source advisory.
Deploy the Sigma rule Detect PhpSpreadsheet Excessive Row Iteration to detect processes that may be attempting to process XLSX files with extremely high row numbers, indicating a potential exploitation attempt.
Monitor web server logs for suspicious file uploads, specifically XLSX files with unusually small sizes, which might indicate an attempt to upload a malicious file exploiting this vulnerability.

OpenCATS PHP Code Injection Vulnerability (CVE-2026-27760)

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

CVE-2026-27760 is a critical PHP code injection vulnerability that affects OpenCATS, a web-based applicant tracking system, in versions prior to commit 3002a29. The vulnerability resides in the installer AJAX endpoint, specifically within the databaseConnectivity action parameter. Unauthenticated attackers can exploit this flaw by injecting arbitrary PHP code into this parameter. This injected code allows attackers to execute arbitrary commands on the server. The vulnerability is triggered during the initial setup phase, when the installation wizard is not yet complete and continues to execute on every subsequent page load. This vulnerability poses a significant risk to organizations using vulnerable versions of OpenCATS, as it can lead to complete system compromise, data theft, or denial of service.

Attack Chain

An unauthenticated attacker sends a crafted HTTP POST request to the OpenCATS installer AJAX endpoint (/install/ajax.php).
The request includes the databaseConnectivity action parameter.
The attacker injects PHP code into the databaseConnectivity parameter, breaking out of the define() string context in config.php with a single quote and statement separator.
The injected code is then processed by the server, leading to arbitrary PHP code execution within the context of the web server user.
The injected code persists because it’s written to the config.php file.
Every subsequent page load executes the injected PHP code, even after the initial malicious request.
The attacker can use the code execution to install a web shell for persistent access.
With the web shell, the attacker can perform various malicious activities, including reading sensitive files, modifying the database, or pivoting to other systems on the network.

Impact

Successful exploitation of CVE-2026-27760 allows unauthenticated attackers to execute arbitrary PHP code on the affected OpenCATS server. This can lead to complete system compromise, including the theft of sensitive applicant data, modification of application settings, and the installation of backdoors for persistent access. Given that OpenCATS handles applicant data, a successful attack could result in a significant data breach and reputational damage. The vulnerability exists in the installer and persists throughout subsequent page loads as long as the installation wizard remains incomplete, making it highly impactful.

Recommendation

Upgrade OpenCATS to a version containing commit 3002a29 or later to remediate CVE-2026-27760.
Monitor web server logs for suspicious POST requests to /install/ajax.php containing PHP code in the databaseConnectivity parameter to detect exploitation attempts (see rule: “Detect OpenCATS installer code injection attempt”).
Implement a Web Application Firewall (WAF) rule to block requests containing PHP code in the databaseConnectivity parameter.
Review and restrict access to the /install/ directory after completing the installation process to prevent accidental or malicious access to the installer.