CVE-2023-40023

Yaklang Plugin's Fuzztag Component Allows Unauthorized Local File Reading

Description

yaklang is a programming language designed for cybersecurity. The Yak Engine has been found to contain a local file inclusion (LFI) vulnerability. This vulnerability allows attackers to include files from the server's local file system through the web application. When exploited, this can lead to the unintended exposure of sensitive data, potential remote code execution, or other security breaches. Users utilizing versions of the Yak Engine prior to 1.2.4-sp1 are impacted. This vulnerability has been patched in version 1.2.4-sp1. Users are advised to upgrade. users unable to upgrade may avoid exposing vulnerable versions to untrusted input and to closely monitor any unexpected server behavior until they can upgrade.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.16%
Third-Party Advisory github.com
Affected: yaklang yaklang
Published at:
Updated at:

References

Link Tags
https://github.com/yaklang/yaklang/security/advisories/GHSA-xvhg-w6qc-m3qq third party advisory
https://github.com/yaklang/yaklang/pull/295 patch
https://github.com/yaklang/yaklang/pull/296 patch

Frequently Asked Questions

What is the severity of CVE-2023-40023?
CVE-2023-40023 has been scored as a medium severity vulnerability.
How to fix CVE-2023-40023?
To fix CVE-2023-40023, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-40023 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-40023 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-40023?
CVE-2023-40023 affects yaklang yaklang.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.