Primary

Context

Webgrind Remote Command Execution Vulnerability

Vulnerability

A remote command execution vulnerability has been identified in Webgrind version 1.1. This vulnerability allows unauthenticated attackers to inject and execute operating system commands through the 'dataFile' parameter in 'index.php'. The issue arises because the application does not properly sanitize user input, enabling command injection. For example, the payload '0%27%26calc.exe%26%27' can be used to execute commands on the target system.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where Webgrind is running.

Reproduction

To reproduce this vulnerability, send a request to 'webgrind/index.php' with the 'dataFile' parameter set to a crafted payload that includes the desired command, such as '0%27%26calc.exe%26%27' to open the calculator application on a Windows system.

Added: Jan 13, 2026, 11:39 PM

Updated: Jan 13, 2026, 11:39 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

10.0

exploitability

9.1

remediation

0.0

relevance

2.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

10.0

exploitability

9.1

remediation

0.0

relevance

2.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Webgrind Remote Command Execution Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

jokkedk webgrind

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating