Listen to this Post
How CVE-2026-54065 Works
This vulnerability is a path traversal flaw that allows an authenticated administrator to delete arbitrary files within the NukeViet application root. The root cause is a two-stage process spanning two different scripts.
Stage 1: Injection (edit.php)
The vulnerability is introduced in modules/comment/admin/edit.php. When an administrator edits a comment, the `attach` parameter from the HTTP POST request is retrieved using `$nv_Request->get_string()` without any validation:
$attach = $nv_Request->get_string('attach', 'post', '', true);
if (!empty($attach)) {
$attach = substr($attach, strlen(NV_BASE_SITEURL . NV_UPLOADS_DIR . '/' . $module_upload . '/'));
}
The `substr()` function strips a fixed number of characters equal to the length of the upload URL prefix (e.g., 26 characters for /nukeviet/uploads/comment/). By padding the payload with exactly 26 arbitrary characters followed by a path traversal sequence, an attacker can bypass this stripping and store a traversal path like `../../config.php` directly into the database.
Stage 2: Trigger (del.php)
When the comment is subsequently deleted, `del.php` reads the `attach` value from the database and passes it to nv_deletefile():
nv_deletefile(NV_UPLOADS_REAL_DIR . '/' . $module_upload . '/' . $row['attach']);
The `nv_deletefile()` function resolves the path via `realpath()` and only verifies that the result is within `NV_ROOTDIR` — it does not restrict deletion to the uploads directory. This allows the deletion of any file in the installation root, including config.php, which immediately triggers the application’s install wizard.
DailyCVE Form
| Field | Value |
|-|-|
| Platform | NukeViet CMS |
| Version | < 4.6.00 |
| Vulnerability | Path Traversal |
| Severity | High (8.7) |
| Date | 2026-07-13 |
| Prediction | Already patched (4.6.00) |
What Undercode Say: Analytics
The vulnerability manifests through a two-file attack chain. Below is the vulnerable code path and the fix implementation.
Vulnerable Code (edit.php – before fix):
$attach = $nv_Request->get_string('attach', 'post', '', true);
if (!empty($attach)) {
$attach = substr($attach, strlen(NV_BASE_SITEURL . NV_UPLOADS_DIR . '/' . $module_upload . '/'));
}
Fixed Code (edit.php – after fix):
$attach = $nv_Request->get_string('attach', 'post', '');
if (!empty($attach) and nv_is_file($attach, NV_UPLOADS_DIR . '/' . $module_upload)) {
$attach = substr($attach, strlen(NV_BASE_SITEURL . NV_UPLOADS_DIR . '/' . $module_upload . '/'));
} else {
$attach = '';
}
Fix Commit: `27ba63c32eea2782837b1464a930baf75f0b4d29`
Affected Component: `modules/comment/admin/edit.php`
Vulnerable Function: `nv_deletefile()` — resolves path via `realpath()` and only verifies result is within NV_ROOTDIR, with no restriction to the uploads directory
Exploit
Prerequisites:
- Authenticated administrator access
- Access to Admin → Comment Management
Steps to Reproduce:
- Log in as an administrator and navigate to Admin → Comment Management
- Select any comment and open the Edit form
- Intercept the POST request and set the `attach` parameter to:
aaaaaaaaaaaaaaaaaaaaaaaaaa../../config.php
(26 padding characters + traversal path)
- Submit the request — the value `../../config.php` is now stored in the database
- Delete the comment — `config.php` is deleted from the application root
- The application immediately redirects to the install wizard, confirming the file has been removed
Protection
Official Fix: Upgrade to NukeViet 4.6.00 or later
Patch Details:
- Added `nv_is_file()` validation before processing the `attach` value
- The function uses `realpath()` and a regex check to ensure the file resolves to a path within the intended upload directory
- Any traversal attempts are rejected and the `attach` value is set to an empty string
CVSS Vector: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H`
Impact
- Arbitrary File Deletion: Any file readable by the web server process within `NV_ROOTDIR` can be permanently deleted
- Full Application Outage: Deleting `config.php` causes a complete application failure and exposes the install wizard
- Integrity Impact: High (critical configuration files can be destroyed)
- Availability Impact: High (application becomes completely inoperable)
- Scope: Changed — the vulnerable component impacts resources beyond its security scope
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

