Primary

Context

Tea LaTex Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability has been identified in Tea LaTex version 1.0. This vulnerability allows unauthenticated attackers to execute arbitrary shell commands via the /api.php endpoint. Exploitation involves crafting a malicious LaTeX payload that, when processed by the application's tex2png API action, executes the embedded shell commands.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Tea LaTex is hosted.

Reproduction

To reproduce this vulnerability, send a POST request to the /api.php endpoint with the action set to tex2png. The request must include a LaTeX payload that contains shell commands. When the server processes the payload, the commands will be executed, leading to remote code execution.

Added: Jan 29, 2026, 3:31 PM

Updated: Jan 29, 2026, 5:23 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

2.4

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

2.4

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tea LaTex Remote Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating