Jul-448

Published on 13 April 2026 – by Alex Morgan, Senior Security Engineer TL;DR | What | JUL‑448 is a Remote Code Execution (RCE) flaw in the Julius web‑framework (v4.3–4.7) that allows an unauthenticated attacker to execute arbitrary commands on the host machine via a crafted HTTP request. | |----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Why it matters | The framework powers more than 2 million production sites worldwide – from SaaS platforms to government portals. Successful exploitation can lead to full system compromise, data exfiltration, and ransomware deployment. | | Who is affected? | Any installation of Julius 4.3‑4.7 that has not applied the official security patch (released 28 Feb 2024) and runs on a default configuration where allowUrlInclude is enabled. | | How to fix it | 1. Upgrade to Julius 4.8.1 or later (or apply the back‑ported patch v4.7.3‑p1). 2. Disable allowUrlInclude in php.ini / framework config. 3. Enforce a strict CSP and WAF rules for the vulnerable endpoint. | | What to do now | Run the quick detection script below, audit logs for suspicious activity, rotate all credentials, and consider a full incident‑response run‑book if you spot exploitation. | 1. The Backstory – Why “JUL‑448” Became a Household Name In early January 2024 , security researcher Mira Patel of SecureSphere Labs posted a proof‑of‑concept (PoC) on GitHub titled “JUL‑448: RCE in Julius 4.x via file_get_contents() ” . Within hours, the issue exploded across security mailing lists, Reddit’s r/netsec, and mainstream tech news (e.g., The Verge , Wired , TechCrunch ).

$realPath = realpath($templatePath); if (!in_array($realPath, $this->allowedTemplates, true)) throw new \InvalidArgumentException('Invalid template path'); $raw = file_get_contents($realPath); return $this->compile($raw, $data);

private $allowedTemplates = [ '/var/www/templates/header.html', '/var/www/templates/footer.html', // add more absolute paths here ]; JUL-448

// src/Engine/TemplateEngine.php (v4.5) public function render(string $templatePath, array $data = []): string

If your organization runs any public‑facing service powered by Julius 4.3–4.7, treat JUL‑448 as . 4. Mitigation & Remediation – Step‑by‑Step 4.1. Immediate “Kill‑Switch” If you cannot upgrade right now, apply the runtime configuration hardening : Published on 13 April 2026 – by Alex

#!/usr/bin/php <?php // Simple detection script for JUL‑448 $base = __DIR__; $files = new RecursiveIteratorIterator( new RecursiveDirectoryIterator($base) ); foreach ($files as $file) if ($file->getExtension() !== 'php') continue; $content = file_get_contents($file->getPathname()); if (preg_match('/file_get_contents\(\s*\$[a-zA-Z0-9_]+\s*\)/', $content) && preg_match('/allow_url_include\s*=\s*On/i', ini_get('allow_url_include'))) echo "[!] Potential JUL‑448 in: $file->getPathname()\n";

The name “JUL‑448” follows the internal ticketing scheme of the Julius development team: for Julius and 448 for the sequential issue number. The bug was originally logged as a “low‑severity input validation issue” back in October 2023 , but it was later re‑rated to Critical (CVSS 9.8) after the PoC demonstrated remote code execution without authentication. The Numbers | Metric | Figure (as of 31 Mar 2026) | |--------|----------------------------| | GitHub Stars (Julius repo) | 18 k | | NPM/Composer downloads (last 30 days) | 1.2 M | | Affected domains (shodan scan) | ≈ 2.3 M | | Reported exploits | 47 confirmed, 312 suspicious attempts (Jan‑Mar 2024) | | Patch adoption | 71 % (global), 52 % (EU), 89 % (US) | | | Who is affected

// $templatePath comes from a GET parameter `tpl` $raw = file_get_contents($templatePath); // ← vulnerable line return $this->compile($raw, $data);