The pre-patch version allowed direct RCE via Jenkins script console.
Patched version: Script console requires admin privileges.
Homepage shows a static site for "Vuela Alto Airlines".
Gobuster reveals: private 127 vuela alto patched
/admin (403 Forbidden)
/js (200)
/css (200)
/uploads (200 — empty directory)
Port 8080 — Jenkins
Jenkins dashboard accessible with no authentication.
Old exploit CVE-2019-1003000 (Groovy script RCE) is patched in this version. The pre-patch version allowed direct RCE via Jenkins
On the morning of October 24, 2023, patch notes were silently rolled out across several major game engines utilizing Byfron (Roblox) and EasyAntiCheat (other platforms). The update specifically targeted memory-write functions that allowed for unanchored client-side teleportation. Port 8080 — Jenkins Jenkins dashboard accessible with
The line in the developer changelog read cryptically:
"Addressed an exploit allowing clients to bypass altitude ceiling checks via vector tampering. Resolved a 'private 127' method of unanchored elevation."
Spanish-language forums like UserGames and ElitePvP have exploded with threads.