VDB

GCVE-110-OSM-2026-1491

GCVE-110-OSM-2026-1491
Advisory PublishedCVSS 5.4/10
Vulnetix · Advisory published April 7, 2026
Dependency confusion proof-of-concept targeting @gameforge/http-server. Executes 'id && pwd && head -n 10 /etc/passwd' at preinstall and exfiltrates the output to a Telegram bot (chat_id 1483949647) via api.telegram.org. preinstall executes index.js which runs 'id && pwd && head -n 10 /etc/passwd' via exec(), formats output as 'GAMEFORGE HIT - CONFIRMED RCE', then sends to attacker Telegram bot (token 7801695443:AAFS7MKLcAnAAkEClSTpq7QTrK3bCYrgYOA, chat_id 1483949647) via HTTPS GET.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersionsPlatforms
unknownfrontend-backoffice99.9.99 (affected)

References

vendor

Browse GCVE Records

73,834 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›