CVE-2010-10013
AjaXplorer < 2.6 checkInstall.php Unauthenticated RCE
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
An unauthenticated remote command execution vulnerability exists in AjaXplorer (now known as Pydio Cells) versions prior to 2.6. The flaw resides in the checkInstall.php script within the access.ssh plugin, which fails to properly sanitize user-supplied input to the destServer GET parameter. By injecting shell metacharacters, remote attackers can execute arbitrary system commands on the server with the privileges of the web server process.
| CWE | CWE-78 |
| Vendor | ajaxplorer |
| Product | ajaxplorer |
| Published | Aug 8, 2025 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for ajaxplorer ajaxplorer
Be the first to know when new unknown vulnerabilities affecting ajaxplorer ajaxplorer are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
AjaXplorer / AjaXplorer
* < 2.6
References
sourceforge.net: https://sourceforge.net/projects/ajaxplorer/ exploit-db.com: https://www.exploit-db.com/exploits/21993 raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb tenable.com: https://www.tenable.com/plugins/nessus/45489 vulncheck.com: https://www.vulncheck.com/advisories/ajaxplorer-unauth-rce
Credits
Julien Cayssol