Cyber Resilience

CVE-2023-54339

CriticalPublic PoCRCE

Published: 13 January 2026

Published
13 January 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0146 70.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2023-54339 is a critical-severity OS Command Injection (CWE-78) vulnerability in Webgrind Project Webgrind. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2023-54339 is a remote command execution vulnerability in Webgrind version 1.1, a web-based frontend for the Xdebug profiler. The flaw arises from improper handling of the dataFile parameter in index.php, enabling OS command injection. Attackers can manipulate this parameter to execute arbitrary system commands on the host server, as demonstrated by payloads like '0%27%26calc.exe%26%27'. The vulnerability is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity, requiring no privileges or user interaction. By sending crafted requests to index.php with a malicious dataFile value, they achieve full remote code execution on the underlying operating system, potentially leading to complete system compromise, data theft, or further lateral movement.

Advisories from VulnCheck and proof-of-concept exploits on Exploit-DB detail the vulnerability and reproduction steps, including the specific payload for command execution. The Webgrind GitHub repository provides source code context for analysis. No patches are referenced in the available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Webgrind 1.1 contains a remote command execution vulnerability that allows unauthenticated attackers to inject OS commands via the dataFile parameter in index.php. Attackers can execute arbitrary system commands by manipulating the dataFile parameter, such as using payload '0%27%26calc.exe%26%27' to execute…

more

commands on the target system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2023-54339 enables unauthenticated remote OS command injection in a public-facing web application (Webgrind), directly facilitating T1190: Exploit Public-Facing Application for initial access and remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-43984Shared CWE-78
CVE-2026-34176Shared CWE-78
CVE-2026-47294Shared CWE-78
CVE-2020-37125Shared CWE-78
CVE-2024-49601Shared CWE-78
CVE-2025-62354Shared CWE-78
CVE-2022-50596Shared CWE-78
CVE-2025-56819Shared CWE-78
CVE-2025-48703Shared CWE-78
CVE-2026-25111Shared CWE-78

Affected Assets

webgrind project
webgrind
≤ 1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly mitigates the OS command injection by requiring validation and sanitization of the dataFile parameter to neutralize special elements like '%27%26' payloads.

prevent

SI-2 addresses the specific flaw in Webgrind 1.1 by mandating timely remediation through patching or equivalent mitigations for CVE-2023-54339.

prevent

AC-6 least privilege limits the damage from successful command injection by ensuring the web server process lacks permissions to execute arbitrary system commands.

References