CVE-2023-54339
Remote Command Execution in Webgrind 1.1 via dataFile Parameter
Publication date: 2026-01-13
Last updated on: 2026-02-03
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jokkedk | webgrind | to 1.1 (inc) |
| webgrind_project | webgrind | to 1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2023-54339 is a critical remote command execution (RCE) vulnerability in Webgrind version 1.1. It allows unauthenticated attackers to inject and execute arbitrary operating system commands by manipulating the dataFile parameter in the index.php file. For example, an attacker can use a payload like `0'%26calc.exe%26'` to execute commands such as launching calc.exe on the target system. This happens because the application does not properly neutralize special elements used in OS commands, enabling command injection. [1, 2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote execution of system commands on the affected server without any authentication. This can lead to full system compromise, allowing attackers to execute arbitrary code, access sensitive data, disrupt services, or use the system as a foothold for further attacks. The high CVSS scores (9.3 and 9.8) reflect the critical nature and potential for significant confidentiality, integrity, and availability damage. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the dataFile parameter in the /index.php endpoint of Webgrind 1.1. For example, sending a request with a payload such as `/index.php?dataFile=0'%26calc.exe%26'&showFraction=0.9&op=function_graph` can test if arbitrary OS commands are executed. Monitoring for unusual command execution or unexpected processes like calc.exe on Windows systems can also indicate exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable Webgrind 1.1 application, especially the /index.php endpoint, until a patch or update is applied. Implement input validation and sanitization on the dataFile parameter to prevent command injection. Additionally, monitor network traffic and system logs for suspicious activity related to this parameter. If possible, upgrade to a version of Webgrind that addresses this vulnerability or apply vendor-provided patches. [1, 2]