CVE-2006-0936

Free Host Shop Website Generator 3.3 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-0936. PoCs published by NSA Group.

AI-analyzed exploit summary This exploit leverages a file upload vulnerability in Website generator by manipulating the 'formname' parameter to upload arbitrary PHP code. The null byte injection allows bypassing file extension restrictions, leading to remote code execution.

Description

Free Host Shop Website Generator 3.3 allows remote authenticated users with administrative privileges to upload and execute arbitrary files via a formname parameter with a filename containing a dangerous file extension and a trailing %00.

Exploits (1)

exploitdb WORKING POC VERIFIED
by NSA Group · textwebappsphp
https://www.exploit-db.com/exploits/27312

This exploit leverages a file upload vulnerability in Website generator by manipulating the 'formname' parameter to upload arbitrary PHP code. The null byte injection allows bypassing file extension restrictions, leading to remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Website generator (version unspecified)
No auth needed
Prerequisites: Access to the vulnerable 'process3.php' endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Various Sources x_refsource_misc
http://nsag.ru/vuln/894.html
Exploit, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/19014
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/16823
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/426077/100/0/threaded

Scores

EPSS 0.0227
EPSS Percentile 80.9%

Details

Status published
Products (1)
free_host_shop/website_generator 3.3
Published Feb 28, 2006
Tracked Since Feb 18, 2026