yogeshojha/rengine

GitHub

github.com

yogeshojha.github.io

Releases28

Frequency1 month 3 weeks

Last Release over 1 year ago

Stars8.69K

reNgine is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous monitoring, backed by a database, and simple yet intuitive User Interface. reNgine makes it easy for penetration testers to gather reconnaissance with minimal configuration and with the help of reNgine's correlation, it just makes recon effortless.

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2024-58287 ↗	Dec 11, 2025Thursday, 11 December 2025, 22:15	8.8 HIGH	—
reNgine 2.2.0 contains a command injection vulnerability in the nmap_cmd parameter of scan engine configuration that allows authenticated attackers to execute arbitrary commands. Attackers can modify the nmap_cmd parameter with malicious base64-encoded payloads to achieve remote code execution during scan engine configuration.
CVE-2025-61319 ↗	Oct 10, 2025Friday, 10 October 2025, 14:15	6.1 MEDIUM	—
ReNgine thru 2.2.0 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability in the Vulnerabilities module. When scanning a target with an XSS payload, the unsanitized payload is rendered in the ReNgine web UI, resulting in arbitrary JavaScript execution in the victim's browser. This can be abused to steal session cookies, perform unauthorized actions, or compromise the ReNgine administrator's account.
CVE-2024-43381 ↗	Aug 16, 2024Friday, 16 August 2024, 15:15	5 MEDIUM	—
reNgine is an automated reconnaissance framework for web applications. Versions 2.1.2 and prior are susceptible to Stored Cross-Site Scripting (XSS) attacks. This vulnerability occurs when scanning a domain, and if the target domain's DNS record contains an XSS payload, it leads to the execution of malicious scripts in the reNgine's dashboard view when any user views the scan results. The XSS payload is directly fetched from the DNS record of the remote target domain. Consequently, an attacker can execute the attack without requiring any additional input from the target or the reNgine user. A patch is available and expected to be part of version 2.1.3.
CVE-2024-41661 ↗	Jul 23, 2024Tuesday, 23 July 2024, 18:15	—	—
Rejected reason: REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-50094. Reason: This candidate is a duplicate of CVE-2023-50094. Notes: All CVE users should reference CVE-2023-50094 instead of this candidate.
CVE-2023-50094 ↗	Jan 1, 2024Monday, 1 January 2024, 18:15	8.8 HIGH	—
reNgine before 2.1.2 allows OS Command Injection if an adversary has a valid session ID. The attack places shell metacharacters in an api/tools/waf_detector/?url= string. The commands are executed as root via subprocess.check_output.
CVE-2022-1813 ↗	May 22, 2022Sunday, 22 May 2022, 16:15	9.8 CRITICAL	7.5 HIGH
OS Command Injection in GitHub repository yogeshojha/rengine prior to 1.2.0.
CVE-2021-39491 ↗	Mar 24, 2022Thursday, 24 March 2022, 15:15	5.4 MEDIUM	3.5 LOW
A Cross Site Scripting (XSS) vulnerability exists in Yogesh Ojha reNgine v1.0 via the Scan Engine name file in the Scan Engine deletion confirmation modal box . .
CVE-2021-38606 ↗	Aug 12, 2021Thursday, 12 August 2021, 16:15	9.8 CRITICAL	7.5 HIGH
reNgine through 0.5 relies on a predictable directory name.