Cyber Resilience

CVE-2023-27040

CriticalPublic PoC

Published: 16 March 2023

Published
16 March 2023
Modified
26 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0362 88.1th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-27040 is a critical-severity Injection (CWE-74) vulnerability in Simple Image Gallery Web App Project Simple Image Gallery Web App. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 11.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Simple Image Gallery version 1.0 contains a remote code execution vulnerability that is triggered through the username parameter. The flaw is tracked as CVE-2023-27040, carries a CVSS v3.1 score of 9.8, and is associated with CWE-74. The affected component allows unauthenticated network access to execute arbitrary code on the server.

An attacker with no credentials or user interaction can supply a crafted username value over the network to achieve full system compromise, including the ability to read, modify, or delete data and execute commands. Public exploit code for this issue has been available on Exploit-DB since shortly after disclosure.

The EPSS score for the vulnerability rose from a low baseline to a peak of 0.0732 on 2025-01-22 before receding to its current value of 0.0362, indicating a period of increased exploitation interest well after the original publication date. No vendor advisory or patch information is referenced in the available sources.

EU & UK References

Vulnerability details

Simple Image Gallery v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the username parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

simple image gallery web app project
simple image gallery web app
1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References