VDB
GCVE-110-OSM-2026-1208
GCVE-110-OSM-2026-1208
Advisory PublishedCVSS 9.6/10
The most capable payload in the campaign. Performs a full internal network scan (172.20.77.0/24 and 10.x subnets), exfiltrates git credentials (/root/.git-credentials, .netrc), extracts GitLab tokens from git remote URLs, dumps the Strapi PostgreSQL database including strapi_administrator, users-permissions_user, core_store (JWT secrets), and all wallet/payment tables. Also reads Jenkins deploy scripts (build.groovy, sync-data.groovy, system.backup.groovy), SSH private keys (/root/.ssh/id_rsa),
postinstall.js (281 lines): (1) TCP port scans 172.20.77.0/30 and 10.x/24 subnets across 9 ports (22,80,443,1337,3000,5432,6379,8080,9090). (2) Reads /app/deploy/build.groovy, sync-data.groovy, system.backup.groovy, content.backup.groovy (Jenkins pipeline scripts). (3) Exfiltrates /root/.git-credentials, /root/.netrc, git remote URLs. (4) Installs pg module to /tmp/node_modules, spawns a separate pg_dump.js with its own embedded send() targeting the same VPS — creates strapi and strapi_stage DB dumps. (5) Probes proxy.nexus.local:8081 for internal package registry. (6) DNS-resolves internal service hostnames. (7) Reads SSH keys from /root/.ssh/. (8) Reads application-specific config files: cnApi.js, cmcApi.js, guardarianApi.js, cnContentApi.js, telegram-api.js.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | strapi-plugin-cms-tools | 3.6.8 (affected) | — |
Browse GCVE Records
73,834 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.