CVE-2016-15044

Kaltura < 11.1.0-2 PHP Object Injection RCE

CVSS 9.3 CRITICALEPSS 1.4%CWE-502 CWE-94

Vexday Risk Score

63High priority

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.3EPSS 1.4%KEV nãoPoC públicaNuclei —Metasploit simPatch —

Lifecycle

15 Mar 2016Metasploit module available

23 Jul 2025Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

A remote code execution vulnerability exists in Kaltura versions prior to 11.1.0-2 due to unsafe deserialization of user-controlled data within the keditorservices module. An unauthenticated remote attacker can exploit this issue by sending a specially crafted serialized PHP object in the kdata GET parameter to the redirectWidgetCmd endpoint. Successful exploitation leads to execution of arbitrary PHP code in the context of the web server process.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Kaltura · Video Platform

public PoCs found — 3

cve_referenceraw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/kaltura_unserialize_rce.rbunverified cve_referencewww.exploit-db.com/exploits/39563unverified cve_referencewww.exploit-db.com/exploits/40404unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/kaltura_unserialize_rce.rb https://www.exploit-db.com/exploits/39563 https://www.exploit-db.com/exploits/40404 https://www.vulncheck.com/advisories/kaltura-php-object-injection-rce