VDB
GCVE-110-OSM-2026-1491
GCVE-110-OSM-2026-1491
Advisory PublishedCVSS 5.4/10
Dependency confusion proof-of-concept targeting @gameforge/http-server. Executes 'id && pwd && head -n 10 /etc/passwd' at preinstall and exfiltrates the output to a Telegram bot (chat_id 1483949647) via api.telegram.org.
preinstall executes index.js which runs 'id && pwd && head -n 10 /etc/passwd' via exec(), formats output as 'GAMEFORGE HIT - CONFIRMED RCE', then sends to attacker Telegram bot (token 7801695443:AAFS7MKLcAnAAkEClSTpq7QTrK3bCYrgYOA, chat_id 1483949647) via HTTPS GET.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | frontend-backoffice | 99.9.99 (affected) | — |
Browse GCVE Records
73,834 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.