EUVD-2026-35135
GHSA-w8vj-qcv3-4w36
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
OpenBullet2 through version 0.3.2 contains an authenticated remote code execution vulnerability that allows authenticated users to execute arbitrary C
code on the server host by creating or modifying job configurations. Attackers can leverage the plain C
execution mode, which lacks reference filtering or API restrictions, to access the file system, spawn processes, and invoke arbitrary .NET APIs as the process user.
AnalysisAI
Authenticated remote code execution in OpenBullet2 through version 0.3.2 allows any logged-in user to run arbitrary C# code on the host by abusing the job configuration interface's plain C# execution mode. Because that mode lacks reference filtering or API restrictions, attackers can touch the file system, spawn child processes, and call any .NET API as the OpenBullet2 service account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires authenticated access to the OpenBullet2 web interface at any privilege level that can create or modify job configurations (CVSS PR:L), network reachability to the UI (AV:N), and the use of the plain C# execution mode for jobs - which is the in-product feature that lacks reference filtering and API restrictions. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) scoring 8.7 reflects network-reachable, low-complexity exploitation requiring only low-privilege authentication and yielding full confidentiality, integrity, and availability impact on the host - appropriate for an authenticated-RCE primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains low-privilege OpenBullet2 credentials - through reuse, weak defaults, the related auth-bypass technique, or a co-tenant operator account - and logs into the web UI. They create or edit a job using the plain C# execution mode and embed a short payload that calls System.Diagnostics.Process.Start to drop and run a reverse shell (or directly read configuration secrets and stored cookies). … |
| Remediation | No vendor-released patch identified at time of analysis - upgrade to any post-0.3.2 release the maintainers publish that explicitly addresses CWE-94 in the job configuration code path, and monitor the VulnCheck advisory (https://www.vulncheck.com/advisories/openbullet2-authenticated-rce-via-job-configuration-interface) for fix coordinates. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running OpenBullet2 version 0.3.2 or earlier; immediately isolate from production networks or implement strict access controls on administrative interfaces; enable comprehensive logging of job execution and C# code submissions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today