CVE-2012-10033
Narcissus backend.php Image Configuration Command Injection
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Narcissus is vulnerable to remote code execution via improper input handling in its image configuration workflow. Specifically, the backend.php script fails to sanitize the release parameter before passing it to the configure_image() function. This function invokes PHP’s passthru() with the unsanitized input, allowing attackers to inject arbitrary system commands. Exploitation occurs via a crafted POST request, resulting in command execution under the web server’s context.
| CWE | CWE-78 |
| Vendor | ångström distribution project |
| Product | narcissus |
| Published | Aug 5, 2025 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for ångström distribution project narcissus
Be the first to know when new unknown vulnerabilities affecting ångström distribution project narcissus are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Ångström Distribution Project / Narcissus
*
References
raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/narcissus_backend_exec.rb exploit-db.com: https://www.exploit-db.com/exploits/22709 exploit-db.com: https://www.exploit-db.com/exploits/22856 web.archive.org: https://web.archive.org/web/20101127002623/https://narcissus.angstrom-distribution.org/ vulncheck.com: https://www.vulncheck.com/advisories/narcissus-image-config-command-injection
Credits
Dun