Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network SSTI-to-RCE with total impact, but the Add/Update Project function is normally authenticated, so PR:L rather than the NVD PR:N; low complexity and no user interaction.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
An issue in Aetopia Digital Asset Management DAM v.1.0.0 allows a remote attacker to execute arbitrary code via the name and description parameter of the Add/Update Project function
AnalysisAI
Remote code execution in Aetopia Digital Asset Management (DAM) v1.0.0 is achievable through a server-side template injection flaw: attacker-controlled input in the 'name' and 'description' parameters of the Add/Update Project function is evaluated by the server-side template engine, letting an attacker run arbitrary code on the host. NVD scores this CVSS 9.8 (network, low complexity, no privileges required), and a public researcher writeup detailing the SSTI exists on the eslam3kl GitBook; however, there is no public exploit identified as weaponized code and it is not listed in CISA KEV, so it is not confirmed as actively exploited. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the ability to invoke the Add/Update Project function and supply attacker-controlled values in the 'name' and/or 'description' parameters, which are rendered server-side by a template engine (SSTI). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The raw signals point to high severity: CVSS 9.8 with AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H implies trivial unauthenticated network RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the Aetopia DAM web interface submits a new or updated Project with a template-injection payload embedded in the name or description field. When the server renders the project data through its template engine, the payload is evaluated, executing attacker-supplied commands on the underlying host. … |
| Remediation | No vendor-released patch or fixed version was identified at time of analysis, and no vendor security advisory URL was provided (only the vendor marketing page and a third-party researcher writeup), so a specific upgrade target cannot be cited. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Identify all Aetopia DAM v1.0.0 instances within 24 hours and assess their network accessibility and operational criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44579
GHSA-gq83-g5c5-qrrq