Christine Dodrill - Blog - Contact - Resume - Talks | GraphViz - When Then Zen Root-level Remote Command Injection in the V playground (OVE-20190623-0001) The real CVEs are the friends we made along the way awilfox While playing with the V playground , a root-level command injection vulnerability was discovered. This allows for an unauthenticated attacker to execute arbitrary root-level commands on the playground server. This vulnerability is instantly exploitable by a remote, unauthenticated attacker in the default configuration. To remotely exploit this vulnerability, an attacker must send specially created HTTP requests to the playground server containing a malformed function call. This playground server is not open sourced or versioned yet, but this vulnerability has lead to the compromising of the box as reported by the lead developer of V. V allows for calling ...