Webgrind 1.1 - Remote Command Execution (RCE) via dataFile Parameter | Advisories

Advisories

Webgrind 1.1 - Remote Command Execution (RCE) via dataFile Parameter

severity: critical
date: January 13, 2026
Affecting: Webgrind 1.1
CVE: CVE-2023-54339
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-51074
Webgrind GitHub Repository
Credit: Rafael Pedrero
Description: Webgrind 1.1 contains a remote command execution vulnerability that allows unauthenticated attackers to inject OS commands via the dataFile parameter in index.php. Attackers can execute arbitrary system commands by manipulating the dataFile parameter, such as using payload '0%27%26calc.exe%26%27' to execute commands on the target system.