VDB

GCVE-110-OSM-2026-1208

GCVE-110-OSM-2026-1208
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 1, 2026
The most capable payload in the campaign. Performs a full internal network scan (172.20.77.0/24 and 10.x subnets), exfiltrates git credentials (/root/.git-credentials, .netrc), extracts GitLab tokens from git remote URLs, dumps the Strapi PostgreSQL database including strapi_administrator, users-permissions_user, core_store (JWT secrets), and all wallet/payment tables. Also reads Jenkins deploy scripts (build.groovy, sync-data.groovy, system.backup.groovy), SSH private keys (/root/.ssh/id_rsa), postinstall.js (281 lines): (1) TCP port scans 172.20.77.0/30 and 10.x/24 subnets across 9 ports (22,80,443,1337,3000,5432,6379,8080,9090). (2) Reads /app/deploy/build.groovy, sync-data.groovy, system.backup.groovy, content.backup.groovy (Jenkins pipeline scripts). (3) Exfiltrates /root/.git-credentials, /root/.netrc, git remote URLs. (4) Installs pg module to /tmp/node_modules, spawns a separate pg_dump.js with its own embedded send() targeting the same VPS — creates strapi and strapi_stage DB dumps. (5) Probes proxy.nexus.local:8081 for internal package registry. (6) DNS-resolves internal service hostnames. (7) Reads SSH keys from /root/.ssh/. (8) Reads application-specific config files: cnApi.js, cmcApi.js, guardarianApi.js, cnContentApi.js, telegram-api.js.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownstrapi-plugin-cms-tools3.6.8 (affected)

Browse GCVE Records

73,834 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›