Metasploit Framework Adds Exploits for Camaleon CMS, Langflow, and WebDAV PHP Upload Vulnerabilities
Rapid7's latest Metasploit Wrap-Up introduces four new modules, including exploits for a directory traversal in Camaleon CMS, a prompt injection RCE in Langflow, and an updated WebDAV PHP Upload module with Linux support.
Rapid7 released its Metasploit Wrap-Up for April 25, 2026, adding four new modules that expand modules and several enhancements to the penetration testing framework. The update includes an auxiliary module targeting a directory traversal vulnerability in Camaleon CMS, an exploit for a prompt injection remote code execution flaw in Langflow, an updated WebDAV PHP Upload module with Linux support, and a new Linux payload for the LoongArch64 architecture.
The first new module exploits CVE-2024-46987, an arbitrary file vulnerability in Camaleon CMS versions 2.8.0 and 2.9.0. This auxiliary module allows attackers to download private files from affected servers, potentially exposing sensitive configuration data or credentials. The vulnerability was originally disclosed in 2024 but has now been weaponized for Metasploit, making it easier for penetration testers and attackers alike to exploit unpatched instances.
A second exploit module targets CVE-2026-27966, a prompt injection remote code execution vulnerability in Langflow versions prior to 1.8.0. Langflow is a popular open-source tool for building LangChain-based AI applications. The vulnerability arises because LangChain's Read-Eval-Print Loop (REPL) is exposed by default, allowing attackers to craft malicious Python flows that execute arbitrary code on the server. This module, contributed by Takahiro Yokoyama and weblover12, highlights the growing security risks associated with AI development frameworks that expose powerful execution environments.
The WebDAV PHP Upload module (CVE-2012-10062) has been significantly updated by community member g0tmi1k. The module now supports Linux targets Linux systems in addition to Windows, includes a check() method to verify vulnerability status before exploitation, and performs cleanup after exploitation. This update broadens the module's applicability, as many Linux-based web servers expose WebDAV with PHP upload capabilities.
Additionally, the update introduces a new Linux payload for the LoongArch64 architecture, a 64-bit RISC architecture developed by Loongson Technology. The linux/loongarch64/chmod payload changes file permissions on target systems, providing a lightweight post-exploitation capability for this emerging architecture.
Beyond new modules, the release includes 11 enhancements and four bug fixes. Notable improvements include better SMB version detection for legacy and non-Windows targets, reduced memory footprint for module metadata caching, and a new method to discover writable directories on Unix systems. Bug fixes address crashes in HTTP module loading, SMB module issues when targeting Samba, and false positives in the CouchDB enumeration scanner.
This update continues Metasploit's tradition of rapidly incorporating newly disclosed vulnerabilities into its framework, enabling security professionals to test defenses against real-world threats. The inclusion of AI-related vulnerabilities like the Langflow RCE reflects the expanding attack surface as organizations adopt AI development tools.