CVE-2026-3968
Remote Code Injection in AutohomeCorp Frostmourne via Nashorn Engine
Publication date: 2026-03-12
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| autohomecorp | frostmourne | to 1.0 (inc) |
| oracle | nashorn | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows attackers to achieve complete server compromise by executing arbitrary code with full Java runtime access.
- Confidentiality impact: reading sensitive files, database credentials, and configuration data.
- Integrity impact: modifying files, databases, and injecting malicious code.
- Availability impact: terminating the application, deleting files, and causing denial of service.
Proof-of-concept exploits demonstrate launching system commands, reading system files like /etc/passwd, establishing reverse shells, and exfiltrating data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-3968 is a critical remote code execution vulnerability in AutohomeCorp's Frostmourne software version 1.0 and earlier. It exists in the alarm expression evaluation system where authenticated administrative users can inject arbitrary JavaScript code through the alarm configuration interface."}, {'type': 'paragraph', 'content': 'This injected code is executed by the Oracle Nashorn JavaScript engine without any validation or sanitization, specifically via the scriptEngine.eval method in the ExpressionRule.java component. This allows attackers with administrative access to execute arbitrary code on the server.'}, {'type': 'paragraph', 'content': 'The attack requires network access and authenticated administrative privileges, and the vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and CWE-934 (Use of Uncontrolled Resource in Code Evaluation Context).'}] [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized or suspicious use of the /save endpoint in the AdminController, which accepts POST requests containing the EXPRESSION payload. Since exploitation requires authenticated administrative access, detection involves auditing administrative actions and looking for unusual JavaScript code injections in alarm configurations.'}, {'type': 'paragraph', 'content': 'Commands to detect exploitation attempts may include searching logs for POST requests to /save with suspicious payloads, or querying the database for alarm expressions containing suspicious JavaScript code.'}, {'type': 'list_item', 'content': 'Use network monitoring tools or web server logs to filter POST requests to /save endpoint.'}, {'type': 'list_item', 'content': "Search application logs or database alarm configuration entries for JavaScript code patterns or suspicious keywords such as 'scriptEngine.eval', 'java.lang.Runtime', or system commands."}, {'type': 'list_item', 'content': "Example command to search logs for suspicious POST requests (Linux): grep -i 'POST /save' /var/log/app_access.log | grep -E 'eval|Runtime|exec|curl|bash'"}, {'type': 'list_item', 'content': "Example SQL query to find suspicious alarm expressions: SELECT * FROM alert WHERE rule.settings LIKE '%scriptEngine.eval%' OR rule.settings LIKE '%Runtime%';"}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling script engine execution or restricting it to read-only mode to prevent arbitrary code execution.
Implement strict whitelist validation of alarm expressions to ensure only safe expressions are allowed.
Sandbox script execution using Java SecurityManager or restricted scripting environments to limit the impact of any injected code.
- Disable or restrict the use of scriptEngine.eval in ExpressionRule.java.
- Apply strict input validation and sanitization on the EXPRESSION field in alarm configurations.
- Restrict administrative access to trusted users only and monitor their activities closely.
Long-term recommendations include replacing Nashorn with safer expression languages like Spring Expression Language (SpEL) or Java Expression Language (JEXL) configured securely, and replacing eval() calls with parameterized expression builders.