CVE-2023-54339

CriticalPublic PoC

Published: 13 January 2026

Published

13 January 2026

Modified

03 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0073 72.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Webgrind 1.1 contains a remote command execution vulnerability that allows unauthenticated attackers to inject OS commands via the dataFile parameter in index.php. Attackers can execute arbitrary system commands by manipulating the dataFile parameter, such as using payload '0%27%26calc.exe%26%27' to execute…

commands on the target system.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly mitigates the OS command injection by requiring validation and sanitization of the dataFile parameter to neutralize special elements like '%27%26' payloads.

SI-2 Flaw Remediation good match

prevent

SI-2 addresses the specific flaw in Webgrind 1.1 by mandating timely remediation through patching or equivalent mitigations for CVE-2023-54339.

AC-6 Least Privilege good match

prevent

AC-6 least privilege limits the damage from successful command injection by ensuring the web server process lacks permissions to execute arbitrary system commands.

Security SummaryAI

CVE-2023-54339 is a remote command execution vulnerability in Webgrind version 1.1, a web-based frontend for the Xdebug profiler. The flaw arises from improper handling of the dataFile parameter in index.php, enabling OS command injection. Attackers can manipulate this parameter to execute arbitrary system commands on the host server, as demonstrated by payloads like '0%27%26calc.exe%26%27'. The vulnerability is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity, requiring no privileges or user interaction. By sending crafted requests to index.php with a malicious dataFile value, they achieve full remote code execution on the underlying operating system, potentially leading to complete system compromise, data theft, or further lateral movement.

Advisories from VulnCheck and proof-of-concept exploits on Exploit-DB detail the vulnerability and reproduction steps, including the specific payload for command execution. The Webgrind GitHub repository provides source code context for analysis. No patches are referenced in the available information.

Details

CWE(s): CWE-78

Affected Products

webgrind project

webgrind

≤ 1.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2023-54339 enables unauthenticated remote OS command injection in a public-facing web application (Webgrind), directly facilitating T1190: Exploit Public-Facing Application for initial access and remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://github.com/jokkedk/webgrind/
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51074
Exploit · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/webgrind-remote-command-execution-rce-via-datafile-parameter
Third Party Advisory · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51074
Exploit · 134c704f-9b21-4f2e-91b3-4a467353bcc0