CVE-2023-54339

CriticalPublic PoCRCE

Published: 13 January 2026

Published

13 January 2026

Modified

03 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0086 75.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-54339 is a critical-severity OS Command Injection (CWE-78) vulnerability in Webgrind Project Webgrind. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly mitigates the OS command injection by requiring validation and sanitization of the dataFile parameter to neutralize special elements like '%27%26' payloads.

SI-2 Flaw Remediation good match

prevent

SI-2 addresses the specific flaw in Webgrind 1.1 by mandating timely remediation through patching or equivalent mitigations for CVE-2023-54339.

AC-6 Least Privilege good match

prevent

AC-6 least privilege limits the damage from successful command injection by ensuring the web server process lacks permissions to execute arbitrary system commands.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2023-54339 enables unauthenticated remote OS command injection in a public-facing web application (Webgrind), directly facilitating T1190: Exploit Public-Facing Application for initial access and remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Webgrind 1.1 contains a remote command execution vulnerability that allows unauthenticated attackers to inject OS commands via the dataFile parameter in index.php. Attackers can execute arbitrary system commands by manipulating the dataFile parameter, such as using payload '0%27%26calc.exe%26%27' to execute…

commands on the target system.

Deeper analysisAI

CVE-2023-54339 is a remote command execution vulnerability in Webgrind version 1.1, a web-based frontend for the Xdebug profiler. The flaw arises from improper handling of the dataFile parameter in index.php, enabling OS command injection. Attackers can manipulate this parameter to execute arbitrary system commands on the host server, as demonstrated by payloads like '0%27%26calc.exe%26%27'. The vulnerability is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity, requiring no privileges or user interaction. By sending crafted requests to index.php with a malicious dataFile value, they achieve full remote code execution on the underlying operating system, potentially leading to complete system compromise, data theft, or further lateral movement.

Advisories from VulnCheck and proof-of-concept exploits on Exploit-DB detail the vulnerability and reproduction steps, including the specific payload for command execution. The Webgrind GitHub repository provides source code context for analysis. No patches are referenced in the available information.