Critical severityNVD Advisory· Published Aug 5, 2025· Updated Apr 15, 2026

CVE-2013-10070

Description

PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval() without sanitization. A remote attacker can exploit this flaw by crafting a request that injects arbitrary PHP code, resulting in command execution under the web server's context. The vulnerability allows unauthenticated attackers to execute system-level commands via base64-encoded payloads embedded in parameter names, leading to full compromise of the host system.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/php_charts_exec.rbnvd
web.archive.org/web/20130120234844/http://php-charts.com/nvd
www.exploit-db.com/exploits/24201nvd
www.exploit-db.com/exploits/24273nvd
www.vulncheck.com/advisories/php-charts-php-code-executionnvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.050
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000