Primary

Context

Chevereto Remote Code Execution Vulnerability

Vulnerability

Patched

A remote code execution vulnerability exists in Chevereto version 3.13.4 Core. This issue allows attackers to inject malicious code during the database configuration installation process. By manipulating the database table prefix parameter, attackers can write a PHP shell file and execute arbitrary system commands through a crafted POST request.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Chevereto is installed.

Reproduction

To reproduce this vulnerability, send a POST request to the Chevereto installation endpoint with a crafted database table prefix parameter that includes injected PHP code. The injected code should be designed to write a PHP file containing a payload that, when executed, runs arbitrary system commands. After the injection, the injected code can be executed by accessing the PHP file through the web server.

Added: Feb 11, 2026, 9:47 PM

Updated: Feb 11, 2026, 9:47 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

10.0

exploitability

9.3

remediation

7.7

relevance

2.7

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

10.0

exploitability

9.3

remediation

7.7

relevance

2.7

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Chevereto Remote Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Chevereto

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating