CVE-2026-35482— alf.io has an Authenticated RCE via Extension Script Sandbox Escape
Possible ATT&CK Techniques 1AI
T1068.001Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-35482
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
alf.io has an Authenticated RCE via Extension Script Sandbox Escape
Source: NVD (National Vulnerability Database)
Vulnerability Description
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, a sandbox escape vulnerability in the alf.io extension script engine allows an authenticated administrator to execute arbitrary operating system commands on the server. The extension system is intended to execute restricted JavaScript in a sandboxed Rhino environment; however, a combination of an unguarded injected Java object (`returnClass`) and an incomplete AST blocklist allows the sandbox to be fully escaped using Java reflection without triggering any validation errors. Version 2.0-M5-2606 patches the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| alfio-event | alf.io | < 2.0-M5-2606 | - |
II. Public POCs for CVE-2026-35482
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 6651 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-35482
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-35482 (1)
IV. Related Vulnerabilities
Same product: alf.io
- CVE-2026-41412
alf.io vulnerable to Arbitrary File Read and Exfil via simpl - CVE-2024-45300
Bypassing promo code limitations with race conditions - CVE-2024-45299
alf.io's preloaded data as json is not escaped correctly - CVE-2024-25634
IDOR make user can read e-mail log sent by other events - CVE-2024-25635
IDOR Vulnerability: Allowing Organization Owner to view the
Same vendor: alfio-event
- CVE-2026-41412
alf.io vulnerable to Arbitrary File Read and Exfil via simpl - CVE-2024-45300
Bypassing promo code limitations with race conditions - CVE-2024-45299
alf.io's preloaded data as json is not escaped correctly - CVE-2024-25634
IDOR make user can read e-mail log sent by other events - CVE-2024-25635
IDOR Vulnerability: Allowing Organization Owner to view the
Same weakness: CWE-863
- CVE-2026-44654
LibreChat: Shared-agent editor can globally delete owner's f - CVE-2026-3514
Authentication Bypass in prefecthq/prefect - CVE-2026-9048
Slider Revolution 7.0.0 - 7.0.14 - Incorrect Authorization t - CVE-2026-45426
Apache Airflow: Log server JWT authorization bypass via Pyth - CVE-2026-10211
AstrBotDevs AstrBot fs.py _normalize_rw_path authorization
V. Comments for CVE-2026-35482
No comments yet