CVE-2018-14009
Description
Codiad through 2.8.4 allows unauthenticated remote code execution via crafted requests, a critical vulnerability distinct from previously known CVEs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Codiad through 2.8.4 allows unauthenticated remote code execution via crafted requests, a critical vulnerability distinct from previously known CVEs.
Vulnerability
Codiad versions through 2.8.4 contain a remote code execution vulnerability [CVE-2018-14009] that is distinct from CVE-2017-11366 and CVE-2017-15689 [1], [2], [3]. The bug resides in the user-controllable endpoints that do not properly validate or sanitize input, allowing an attacker to inject arbitrary PHP code into the server's file system. The code path is reachable without authentication, and the vulnerability affects all installations running Codiad 2.8.4 and earlier [1], [3].
Exploitation
An attacker with network access to the Codiad instance can send crafted HTTP requests to the application's management interfaces, leveraging insufficient input validation to write arbitrary PHP code to a file within the web root [1], [3]. The exploit sequence typically involves authenticating with a known username/password (default credentials admin:admin), then abusing the project management or file system endpoints to upload or modify a .php file containing attacker-controlled code [1], [3]. The exploit is publicly available as a Python script (e.g., the one by WangYihang) that automates the entire process, requiring only the target URL and credentials [3].
Impact
Successful exploitation gives the attacker the ability to execute arbitrary operating system commands with the privileges of the web server user [1], [3]. This results in complete compromise of the Codiad application and potentially the underlying server, allowing data exfiltration, lateral movement, or further exploitation of the host environment. The vulnerability is classified as remote code execution (RCE) with a high severity impact [2].
Mitigation
As of the most recent references (2025), Codiad is no longer under active maintenance, and no official patch has been released for this vulnerability [4]. Users are strongly advised to migrate to alternative, actively maintained web-based IDE solutions [4]. If immediate migration is not possible, access to the Codiad instance should be restricted to trusted networks, default credentials must be changed, and the application should be monitored for suspicious activity [1], [3]. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
codiad/codiadPackagist | <= 2.8.4 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- github.com/advisories/GHSA-584h-jhxh-pxp2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-14009ghsaADVISORY
- packetstormsecurity.com/files/161944/Codiad-2.8.4-Remote-Code-Execution.htmlghsax_refsource_MISCWEB
- github.com/Codiad/Codiad/issues/1078mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.