CVE-2006-6445

Envolution 1.1.0 - Directory Traversal via PNSVlang Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-6445. PoCs published by Kacper.

AI-analyzed exploit summary This exploit targets a remote code execution vulnerability in Envolution <= 1.1.0 by manipulating the 'lang' session variable to include arbitrary PHP code. The exploit logs in, sets a malicious session variable, and triggers the inclusion of a crafted error.php file.

Description

Directory traversal vulnerability in error.php in Envolution 1.1.0 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the PNSVlang (PNSV lang) parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by error.php.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Kacper · phpwebappsphp
https://www.exploit-db.com/exploits/2888

This exploit targets a remote code execution vulnerability in Envolution <= 1.1.0 by manipulating the 'lang' session variable to include arbitrary PHP code. The exploit logs in, sets a malicious session variable, and triggers the inclusion of a crafted error.php file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Envolution <= 1.1.0
Auth required
Prerequisites: Valid user credentials · Session ID · User ID
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4836
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/30700
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/21413
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/2888

Scores

EPSS 0.0632
EPSS Percentile 92.7%

Details

Status published
Products (1)
envolution/envolution 1.1.0
Published Dec 10, 2006
Tracked Since Feb 18, 2026