High severity8.8NVD Advisory· Published Dec 11, 2017· Updated May 13, 2026

CVE-2017-17536

Description

Phabricator before 2017-11-10 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary code by using the web UI to browse a branch whose name begins with a --config= or --debugger= substring.

Affected products

Phacility/Phabricator
cpe:2.3:a:phacility:phabricator:*:*:*:*:*:*:*:*
Range: <2017-11-10

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

secure.phabricator.com/T13012nvdIssue TrackingPatchVendor Advisory
hackerone.com/reports/288704nvdIssue TrackingThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000