CVE-2023-53888
published 2025-12-15CVE-2023-53888: Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file…
PriorityP259high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.82%
52.8th percentile
Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Attackers can upload files (such as JavaScript) and rename them to .php via the saveE and rename actions, then execute the resulting PHP payload to run system commands.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zomp | zomplog | — | — |
| zomplog | zomplog | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Zomplog 3.9 code injection (Exploit 51624 / EUVD-2025-203421)
vuldb·2026-05-27·CVSS 8.6
CVE-2023-53888 [HIGH] Zomplog 3.9 code injection (Exploit 51624 / EUVD-2025-203421)
A vulnerability labeled as critical has been found in Zomplog 3.9. This affects an unknown function. Such manipulation leads to code injection.
This vulnerability is uniquely identified as CVE-2023-53888. The attack can be launched remotely. Moreover, an exploit is present.
GHSA
GHSA-9g2h-fh68-3p2v: Zomplog 3
ghsa_unreviewed·2025-12-15
CVE-2023-53888 [HIGH] CWE-94 GHSA-9g2h-fh68-3p2v: Zomplog 3
Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Attackers can upload malicious JavaScript files, rename them to PHP, and execute system commands by exploiting the saveE and rename actions in the application.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-12-15
Published