CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2024-20328

ClamAV VirusEvent: When the Antivirus Becomes the Virus

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 1, 2026·5 min read·127 visits

Executive Summary (TL;DR)

ClamAV's configuration allows admins to run a command when a virus is found. By failing to sanitize the filename placeholder (%f) before passing it to 'sh -c', the engine executes any shell commands embedded in the name of the infected file. It's a 1990s-style vulnerability in a 2024 security product.

A classic OS Command Injection vulnerability in ClamAV's 'VirusEvent' feature allows local attackers to execute arbitrary code by simply naming a file with malicious shell characters.

Official Patches

CiscoOfficial Cisco Security Advisory
ClamAV BlogRelease notes for fixed versions

Fix Analysis (1)

Technical Appendix

CVSS Score
5.3/ 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Probability
0.04%
Top 100% most exploited

Affected Systems

Cisco ClamAV 1.2.0 - 1.2.1Cisco ClamAV 1.1.x (all versions)Cisco ClamAV 1.0.0 - 1.0.4Cisco ClamAV 0.104.xCisco ClamAV 0.105.x

Affected Versions Detail

Product
Affected Versions
Fixed Version
ClamAV
Cisco
1.2.0 - 1.2.11.2.2
ClamAV
Cisco
1.0.0 - 1.0.41.0.5
ClamAV
Cisco
<= 0.105.x1.0.5
AttributeDetail
CWECWE-78 (OS Command Injection)
Attack VectorLocal (potentially Remote via file upload)
CVSS v3.15.3 (Medium)
ImpactArbitrary Code Execution / Privilege Escalation
Vulnerable Componentclamd daemon (VirusEvent)
Exploit StatusProof of Concept Available

MITRE ATT&CK Mapping

T1203Exploitation for Client Execution
Execution
T1059.004Command and Scripting Interpreter: Unix Shell
Execution
T1574Hijack Execution Flow
Persistence
CWE-78
OS Command Injection

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Known Exploits & Detection

MetasploitModules targeting similar local command injections typically appear quickly.
GitHub PoCTechnical writeup and reproduction steps by Amit Schendel.
NucleiDetection Template Available

Vulnerability Timeline

Advisory Published by Cisco
2024-01-15
Fixed Versions Released (1.3.0, 1.2.2, 1.0.5)
2024-01-15
PoC Details Publicly Circulated
2024-02-01

References & Sources

  • [1]ClamAV Release Notes
  • [2]Deep Dive by Amit Schendel
Related Vulnerabilities
CVE-2023-20032CVE-2023-20052

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 14 hours ago•CVE-2026-47291
9.8

CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver

An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.

Amit Schendel
Amit Schendel
11 views•8 min read
•about 16 hours ago•CVE-2026-11822
7.8

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

Amit Schendel
Amit Schendel
7 views•5 min read
•about 22 hours ago•CVE-2026-56350
6.3

CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment

A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).

Amit Schendel
Amit Schendel
7 views•6 min read
•5 days ago•CVE-2026-55699
6.5

CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.

Amit Schendel
Amit Schendel
23 views•6 min read
•5 days ago•CVE-2026-55700
7.1

CVE-2026-55700: Path Traversal and Arbitrary File Write in pnpm stage download

A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.

Alon Barad
Alon Barad
16 views•4 min read
•5 days ago•GHSA-WW5P-J6CJ-6MQQ
5.5

GHSA-WW5P-J6CJ-6MQQ: Credential Exposure in Nezha Dashboard DDNS and Notification APIs

GHSA-WW5P-J6CJ-6MQQ is a technical credential exposure vulnerability in Nezha Dashboard prior to version 2.2.5. The vulnerability allows authenticated administrative users or actors possessing scoped read-only Personal Access Tokens (PATs) to exfiltrate plaintext third-party API credentials, secret keys, and webhook authorization headers due to a lack of data redaction during API object serialization.

Amit Schendel
Amit Schendel
10 views•7 min read