Improve CVE-2026-26026 SSTI check and correct severity to 7.2#23
Open
UncleJ4ck wants to merge 1 commit into
Open
Improve CVE-2026-26026 SSTI check and correct severity to 7.2#23UncleJ4ck wants to merge 1 commit into
UncleJ4ck wants to merge 1 commit into
Conversation
UncleJ4ck
force-pushed
the
glpi-cve-2026-26026
branch
from
6d38776 to
afcde62
Compare
UncleJ4ck
force-pushed
the
glpi-cve-2026-26026
branch
from
afcde62 to
9e5e29e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Split from #12. This reworks the existing
CVE-2026-26026module rather than adding a new one, so compare it against the current version and take whichever you prefer.check()now uses a Twig arithmetic probe ({{31337*2}}must render as62674), which a static reflection cannot fake, and purges the draft form afterwards.run(cmd)executes a command through the double-compilation SSTI (call(_get.fn, [_get.arg])->shell_exec) and returns stdout.@cvsscorrected6.4->7.2. The double-compilation is a provenshell_execRCE, not just SSTI;7.2is the authenticated-admin score fromGHSA-2c98-648q-h27h(the advisory also lists 9.1). Verified live:run(cmd=id)returneduid=33(www-data)on 11.0.2.@authorleft asZax(the researcher).