## https://sploitus.com/exploit?id=08B53495-61C6-5F9D-B63B-BEA3ADDB0C6F
This is functional proof of concept code based on the CISA disclosure of a reported vulnerability in Grassmarlin posted on 4/28/2026.
Looking at the code for Grassmarlin, I determined that the likely vulnerable parameters had to do with the XML files ingested when opening stored sessions. By crafting malicious requests I discovered I could induce an error in the message console within Grassmarlin. The cause and content of the error was properly stripped from all logs and output within Grassmarlin.
However, OOB exfiltration of arbitrary files was possible by referencing an external host in the DTD. Some caveats did appear to apply, newer versions of Java could not be used on the system, meaning that Grassmarlin had to use the version of Java bundled in the installer. Additionally, many types of input would cause errors which would impede the exfil process. To bypass this, the content would be converted to base64 and then sent across multiple message chunks.
Enjoy!