CVE-2023-54339
Unknown Unknown - Not Provided
Remote Command Execution in Webgrind 1.1 via dataFile Parameter

Publication date: 2026-01-13

Last updated on: 2026-02-03

Assigner: VulnCheck

Description
Webgrind 1.1 contains a remote command execution vulnerability that allows unauthenticated attackers to inject OS commands via the dataFile parameter in index.php. Attackers can execute arbitrary system commands by manipulating the dataFile parameter, such as using payload '0%27%26calc.exe%26%27' to execute commands on the target system.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2023-54339
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
jokkedk webgrind to 1.1 (inc)
webgrind_project webgrind to 1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2023-54339 is a critical remote command execution (RCE) vulnerability in Webgrind version 1.1. It allows unauthenticated attackers to inject and execute arbitrary operating system commands by manipulating the dataFile parameter in the index.php file. For example, an attacker can use a payload like `0'%26calc.exe%26'` to execute commands such as launching calc.exe on the target system. This happens because the application does not properly neutralize special elements used in OS commands, enabling command injection. [1, 2]

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote execution of system commands on the affected server without any authentication. This can lead to full system compromise, allowing attackers to execute arbitrary code, access sensitive data, disrupt services, or use the system as a foothold for further attacks. The high CVSS scores (9.3 and 9.8) reflect the critical nature and potential for significant confidentiality, integrity, and availability damage. [1, 2]

Detection Guidance

This vulnerability can be detected by attempting to exploit the dataFile parameter in the /index.php endpoint of Webgrind 1.1. For example, sending a request with a payload such as `/index.php?dataFile=0'%26calc.exe%26'&showFraction=0.9&op=function_graph` can test if arbitrary OS commands are executed. Monitoring for unusual command execution or unexpected processes like calc.exe on Windows systems can also indicate exploitation attempts. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable Webgrind 1.1 application, especially the /index.php endpoint, until a patch or update is applied. Implement input validation and sanitization on the dataFile parameter to prevent command injection. Additionally, monitor network traffic and system logs for suspicious activity related to this parameter. If possible, upgrade to a version of Webgrind that addresses this vulnerability or apply vendor-provided patches. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-54339. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart