CVE-2023-26469
published 2023-08-17CVE-2023-26469: In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
81.92%
99.6th percentile
In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jorani | jorani | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherhttp.favicon.hash:-2032163853
othericon_hash=-2032163853
url/session/login
path..%2F..%2Fapplication%2Flogs
cookiecsrf_test_jorani
- →The exploit chains three vulnerabilities: log poisoning, redirection bypass via header spoofing, and path traversal to achieve unauthenticated RCE. Detection should look for path traversal sequences in the `language` POST parameter targeting `/session/login`. ↗
- →Monitor POST requests to `/session/login` where the `language` parameter contains directory traversal sequences (e.g., `../`) pointing to application log directories.
- →Monitor GET requests to `/pages/view/log-<date>` with the `X-REQUESTED-WITH: XMLHttpRequest` header, which is used to trigger log file inclusion after log poisoning.
- →A 401 HTTP response status combined with the RCE payload marker string `7cca0844e81cd333152def045fe075c2` in the response body is the exploit success condition used in the Nuclei template.
- →The exploit is unauthenticated and affects Jorani prior to version 1.0.2; prioritize detection on internet-exposed Jorani instances identifiable via Shodan favicon hash -2032163853. ↗
- ·The `CipheredValue=DummyPassword` field in the POST body is a placeholder used by the PoC/template and does not represent a real credential; actual exploitation may use different values.
- ·The EPSS score of 0.92657 (99.748th percentile) indicates very high exploitation probability in the wild; this CVE should be treated as actively exploited.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7r9h-9r47-7vjj: In Jorani 1
ghsa_unreviewed·2023-08-17
CVE-2023-26469 [CRITICAL] CWE-22 GHSA-7r9h-9r47-7vjj: In Jorani 1
In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.
VulnCheck
jorani jorani Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2023·CVSS 9.8
CVE-2023-26469 [CRITICAL] jorani jorani Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
jorani jorani Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.
Affected: jorani jorani
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF
Exploit PoC: https://vulncheck.com/xdb/c664b0552c9b; https://vulncheck.com/xdb/c40410a15d3c
No detection rules found.
Nuclei
Jorani 1.0.0 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-26469 [CRITICAL] Jorani 1.0.0 - Remote Code Execution
Jorani 1.0.0 - Remote Code Execution
Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.
Template:
id: CVE-2023-26469
info:
name: Jorani 1.0.0 - Remote Code Execution
author: pussycat0x
severity: critical
description: |
Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
remediation: |
Upgrade Jorani to a patched version or apply the necessary security patches.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-26469
- https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/CVE_Jorani.py
- https://github.com/advisories/GHSA-7r9h-9r47-7vjj
Metasploit
Jorani unauthenticated Remote Code Execution
metasploit
Jorani unauthenticated Remote Code Execution
Jorani unauthenticated Remote Code Execution
This module exploits an unauthenticated Remote Code Execution in Jorani prior to 1.0.2. It abuses 3 vulnerabilities: log poisoning and redirection bypass via header spoofing, then it uses path traversal to trigger the vulnerability. It has been tested on Jorani 1.0.0.
Greynoiseio
NoiseLetter October 2024
blogs_greynoiseio
NoiseLetter October 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Wiz
CVE-2025-67102 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-67102 [MEDIUM] CVE-2025-67102 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67102 :
Jorani vulnerability analysis and mitigation
A SQL injection vulnerability in the alldayoffs feature in Jorani up to v1.0.4, allows an authenticated attacker to execute arbitrary SQL commands via the entity parameter.
Source : NVD
## 7.6
Score
Published February 17, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
Jorani
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:jorani:jorani
Sources
Linux Severity HIGH No Fix Added at: Apr 05, 2026
Windows Severity HIGH No Fix Added at: Apr 05, 2026
Linux Severity HIGH No Fix Added at: Apr 06, 2026
Windows Severity HIGH No Fix Ad
Wiz
CVE-2023-53870 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2023-53870 [MEDIUM] CVE-2023-53870 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2023-53870 :
Jorani vulnerability analysis and mitigation
Jorani 1.0.3 contains a reflected cross-site scripting vulnerability in the language parameter that allows attackers to inject malicious scripts. Attackers can craft XSS payloads in the language parameter to execute arbitrary JavaScript and potentially steal user session information.
Source : NVD
## 5.1
Score
Published December 15, 2025
Severity MEDIUM
CNA Score 5.1
Affected Technologies
Jorani
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:jorani:jorani
Sources
NVD
Linux No Fix Added at: Dec 16, 2025
Windows No Fix Added at: Dec 1
http://packetstormsecurity.com/files/174248/Jorani-Remote-Code-Execution.htmlhttps://github.com/Orange-Cyberdefense/CVE-repository/tree/masterhttps://jorani.org/security-features-in-lms.htmlhttp://packetstormsecurity.com/files/174248/Jorani-Remote-Code-Execution.htmlhttps://github.com/Orange-Cyberdefense/CVE-repository/tree/masterhttps://jorani.org/security-features-in-lms.html
2023-08-17
Published
Exploited in the wild