NukeViet CMS CVE-2026-55372
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Pre-auth remote trigger with no interaction gives AV:N/AC:L/PR:N/UI:N; blind fixed-path sink yields only limited C:L (internal discovery) and I:L (header cache poisoning), and I keep S:U since impact stays within the vulnerable app.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
An unauthenticated attacker can coerce the server into issuing HTTP requests to an attacker-chosen host by spoofing the X Forwarded-Host (and X-Forwarded-Proto) request headers. The forwarded host is used, without validation, to build the URL that server_info_update() fetches with cURL, resulting in a Server-Side Request Forgery (SSRF) that requires no authentication.
Affected component
- File:
includes/ini.php- functionserver_info_update()(cURL sink) - File:
vendor/vinades/nukeviet/Core/Server.php-standardizeHost()and the forwarded-header handling in the constructor (source of the tainted host) - Trigger:
POSTrequest containing the field__serverInfoUpdate=1, handled early inincludes/ini.phpbefore any authentication.
Details
NukeViet\Core\Server derives original_host / original_protocol from the X-Forwarded-Host / X-Forwarded-Proto headers and exposes them via getOriginalHost() / getOriginalProtocol(). These values are attacker-controlled and were not validated against the site's configured domains (my_domains).
In server_info_update() the tainted host and scheme are concatenated directly into a cURL URL:
$proto = $nv_Server->getOriginalProtocol(); // from X-Forwarded-Proto
$host = $nv_Server->getOriginalHost(); // from X-Forwarded-Host
$ch = curl_init($proto . '://' . $host . NV_BASE_SITEURL . 'index.php?response_headers_detect=1');
curl_exec($ch);Two factors made this reliably reachable:
- The
__serverInfoUpdatehandler runs very early inincludes/ini.php, before authentication, so the sink is reachable pre-auth. - The host sanitiser
standardizeHost()stripped a trailing port only with the regex(\:[0-9]+)$, which is bypassed by appending a slash (e.g.127.0.0.1:8081/): the string no longer ends in:digits, so the port survives and an arbitraryhost:portreaches the cURL call.
Proof of Concept
POST /index.php HTTP/1.1
Host: <victim>
X-Forwarded-Proto: http
X-Forwarded-Host: <attacker-controlled-host>:<port>/
Content-Type: application/x-www-form-urlencoded
Content-Length: 20
__serverInfoUpdate=1The server then issues a request to the attacker-supplied host, confirmed via an out-of-band interaction (DNS + HTTP) on a collaborator endpoint.
Impact
The SSRF is blind, HEAD-only, and uses a fixed request path (…/index.php?response_headers_detect=1):
- The fetched response is stored server-side in the
config_inicache and is not reflected to the attacker, so internal data cannot be exfiltrated directly. - Because the path is fixed and not attacker-controlled, cloud metadata endpoints (e.g.
169.254.169.254/latest/meta-data/...) cannot be reached, andgopher:///dict://request smuggling cannot inject arbitrary payloads.
What an attacker can do: unauthenticated internal host/port discovery (connection success/timing, with the port reachable through the regex bypass), and poisoning of the cached server_headers (the SSRF target's response headers are stored and applied to the site).
Severity
Rated High rather than Critical, because the blind + fixed-path + HEAD design of the sink prevents data exfiltration, cloud credential theft, and internal RCE.
- CVSS v3.1 Base Score: 7.2 (High)
- Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Weakness
- Primary: CWE-918: Server-Side Request Forgery (SSRF)
- Contributing: CWE-20 (Improper Input Validation), CWE-644 (Improper Neutralization of HTTP Headers used by downstream components / trusting
X-Forwarded-*).
Remediation
Fixed by validating and normalising the forwarded values at the source and gating the request before the sink:
standardizeHost()now extracts the host withparse_url()(defeats the:port/bypass) and lower-cases it.X-Forwarded-Protois restricted to a{http, https}allow-list and falls back to the real server protocol otherwise.X-Forwarded-Portis validated as numeric and within range.- The incoming host is checked against
my_domainsbeforeincludes/ini.phpis reached; non-matching hosts are rejected/redirected, andserver_info_update()additionally re-validates its target host againstmy_domains(defense in depth).
Workaround
Configure the reverse proxy / web server to strip or override client-supplied X-Forwarded-Host, X-Forwarded-Proto, and X-Forwarded-Port headers, and ensure my_domains is configured with the site's canonical domain(s).
AnalysisAI
Server-side request forgery in NukeViet CMS before 4.6.00 lets a remote unauthenticated attacker coerce the server into issuing outbound HTTP requests to an arbitrary host by spoofing the X-Forwarded-Host and X-Forwarded-Proto headers, which flow unvalidated into the cURL URL built by server_info_update(). Because the __serverInfoUpdate=1 POST handler in includes/ini.php runs before authentication, no credentials are needed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the __serverInfoUpdate feature path to be reachable - a POST to index.php with the field __serverInfoUpdate=1, which is handled early in includes/ini.php before authentication, so no credentials or user interaction are needed (CVSS PR:N/UI:N is consistent with this). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N (7.2 High) reflects a genuinely low-friction reachability profile: network attack vector, low complexity, no privileges and no user interaction, which matches the pre-auth POST trigger described. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends an unauthenticated POST to /index.php containing __serverInfoUpdate=1 with X-Forwarded-Proto: http and X-Forwarded-Host set to an internal target such as 10.0.0.5:6379/, causing the NukeViet server to issue a HEAD request to that host and letting the attacker map reachable internal hosts and ports via connection success/timing. The advisory includes a working PoC confirmed through out-of-band DNS and HTTP interaction on a collaborator endpoint, but the blind, fixed-path sink means no internal response content is returned to the attacker. |
| Remediation | Vendor-released patch: upgrade NukeViet to 4.6.00 or later, which validates and normalises the forwarded values at the source - standardizeHost() now uses parse_url() to extract and lower-case the host (defeating the :port/ bypass), restricts X-Forwarded-Proto to an {http,https} allow-list falling back to the real server protocol, validates X-Forwarded-Port as an in-range numeric, checks the incoming host against my_domains before includes/ini.php is reached, and has server_info_update() re-validate its target against my_domains as defense in depth. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all NukeViet CMS installations in production and document their network isolation; review access logs for anomalous X-Forwarded-Host or X-Forwarded-Proto header patterns indicative of exploitation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-4chg-4752-w88r