546669204 vps-inventory-monitoring VpsTest Console VpsTest.php eval code injection
Description
A vulnerability was determined in 546669204 vps-inventory-monitoring up to 98c00b370668c96ae75e91c15548d9ea113652d9. This issue affects the function eval of the file app/index/command/VpsTest.php of the component VpsTest Console. Executing a manipulation of the argument vf can lead to code injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated remote code injection in VpsTest console via unsanitized eval() of user-controlled input in vps-inventory-monitoring.
Vulnerability
The VpsTest console command in app/index/command/VpsTest.php passes the vf field from database records directly to PHP's eval() function. Any authenticated user can inject arbitrary PHP code via the vf parameter when creating or editing a monitoring entry through POST /index/index/edit. All versions up to commit 98c00b370668c96ae75e91c15548d9ea113652d9 in the rolling-release repository 546669204/vps-inventory-monitoring are affected [1][2][3].
Exploitation
An attacker needs a registered user account (low privileges) on the application. The attacker sets the vf field of a monitoring entry to a malicious PHP payload. When the scheduled task php think VpsTest runs (or when an administrator manually executes the command), the eval() call executes the injected code. No user interaction is required on the attacker's side; execution occurs automatically on the next cron cycle or manual invocation [1][2].
Impact
Successful exploitation yields remote code execution (RCE) with the privileges of the web server process. The attacker can read, modify, or delete sensitive data, execute system commands, and potentially compromise the entire server. The CVSS 3.1 score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability [1][2].
Mitigation
No official fix has been released; the project maintainer has not responded to the issue report [1][2]. Users should immediately disable the VpsTest command and remove or restrict access to the vf field in the database. As a workaround, apply input sanitization or disable eval() usage in the affected code path. The product uses a rolling-release system, so consult the repository for future commits [1][3].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-controlled content stored in the database is passed directly to PHP's eval() function without any sanitization or sandboxing."
Attack vector
An attacker first registers an account on the target instance and logs in [ref_id=1][ref_id=2]. They then navigate to `/index/index/edit`, click "Add Monitor", and submit a malicious PHP payload in the "validation function" (`vf`) field — for example, `file_put_contents('/var/www/html/public/shell.php', '...'); return true;` [ref_id=1][ref_id=2]. The record is saved with `status = 1` by default, so no additional action is needed to arm it [ref_id=1][ref_id=2]. The `php think VpsTest` command, which the project's README instructs operators to run as a scheduled cron task or via `screen`, then executes the attacker's injected code in the context of the web/CLI user [ref_id=1][ref_id=2][ref_id=3].
Affected code
The vulnerable code resides in `app/index/command/VpsTest.php`. The command loops over all records in the `xm_index` table where `status = 1` and passes the `vf` column directly into PHP's `eval()` function: `$a = eval($value["vf"]);` [ref_id=1][ref_id=2]. The `vf` column is populated from the "validation function" input field on the monitor-edit page (`POST /index/index/edit`), which is writable by any authenticated user [ref_id=1][ref_id=2]. No sandboxing, AST validation, or allow-listing is performed on the user-supplied string before it reaches `eval()` [ref_id=1][ref_id=2].
What the fix does
No patch has been published; the project was informed via an issue report but has not responded [ref_id=1]. The recommended remediation is to remove `eval()` entirely and replace the "validation function" feature with a safe, declarative alternative — such as a fixed set of check types (HTTP status, regex match, string contains, JSON-path equals) with parameters stored as data rather than code [ref_id=1][ref_id=2]. If an executable expression is unavoidable, it should be isolated in a restricted, sandboxed evaluator (e.g., `symfony/expression-language` with a strict function allow-list) rather than raw `eval()` on user-provided strings [ref_id=1][ref_id=2].
Preconditions
- authAttacker must have a registered and logged-in user account on the target instance.
- configThe php think VpsTest command must be executed (via cron or manually) after the malicious record is saved.
- networkThe attacker must be able to reach the /index/index/edit endpoint over the network.
- inputThe attacker submits a malicious PHP payload in the vf field of a monitoring entry.
Reproduction
1. Register an account on the target instance and log in. 2. Navigate to `http://
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/dntyfate/cve/issues/2mitreexploitissue-tracking
- vuldb.com/submit/811843mitrethird-party-advisory
- github.com/546669204/vps-inventory-monitoring/issues/36mitreissue-tracking
- vuldb.com/vuln/365249mitrevdb-entrytechnical-description
- vuldb.com/vuln/365249/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.