EUVD-2026-18226
GHSA-p458-m7mj-jhv3
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
A security flaw has been discovered in DefaultFuction Content-Management-System 1.0. This issue affects some unknown processing of the file /admin/tools.php. The manipulation of the argument host results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
Analysis
Remote command injection in DefaultFuction Content-Management-System 1.0 allows unauthenticated attackers to execute arbitrary OS commands via the host parameter in /admin/tools.php. The flaw has a publicly available exploit (POC published on GitHub) and is exploitable over the network with low attack complexity. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: immediately inventory all systems running DefaultFunction CMS 1.0, isolate affected instances from production networks if possible, and restrict network access to /admin/tools.php to trusted IP ranges only. Within 7 days: evaluate migration to a patched alternative or hardened version if vendor releases one; implement Web Application Firewall (WAF) rules to block malicious host parameter payloads; enable comprehensive logging and monitoring on all DefaultFunction CMS instances. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today