CVE-2006-7183

Exhibit Engine 2 < 1.22 - Remote File Inclusion via toroot Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-7183. PoCs published by Kacper.

AI-analyzed exploit summary This is a writeup describing a Remote File Include (RFI) vulnerability in Exhibit Engine <= 1.22. The vulnerability allows an attacker to include remote files via the 'toroot' parameter in the 'styles.php' script.

Description

PHP remote file inclusion vulnerability in styles.php in Exhibit Engine (EE) 1.22 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the toroot parameter.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Kacper · textwebappsphp

https://www.exploit-db.com/exploits/2850

View Code ZIP pw:eip

This is a writeup describing a Remote File Include (RFI) vulnerability in Exhibit Engine <= 1.22. The vulnerability allows an attacker to include remote files via the 'toroot' parameter in the 'styles.php' script.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Theoretical

Target: Exhibit Engine <= 1.22

No auth needed

Prerequisites: Access to the target web application · Remote file hosting for malicious script

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/21313

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/30516

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/2850

Scores

EPSS 0.0392

EPSS Percentile 89.0%

Details

Status published

Products (1)

photography-on-the-net/exhibit_engine_2 < 1.22

Published Mar 30, 2007

Tracked Since Feb 18, 2026