CVE-2007-2014

MyNews 4.2.2 - Remote File Inclusion via myNewsConf[path][sys][index] Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-2014. PoCs published by hackberry.

AI-analyzed exploit summary This exploit demonstrates a remote file inclusion vulnerability in MyNews 4.2.2 and prior versions. By manipulating the 'myNewsConf[path][sys][index]' parameter, an attacker can include and execute arbitrary remote PHP files, leading to remote code execution.

Description

PHP remote file inclusion vulnerability in include/blocks/week_events.php in MyNews 4.2.2 allows remote attackers to execute arbitrary PHP code via a URL in the myNewsConf[path][sys][index] parameter, a different vector than CVE-2007-0633.

Exploits (1)

exploitdb WORKING POC VERIFIED
by hackberry · textwebappsphp
https://www.exploit-db.com/exploits/29830

This exploit demonstrates a remote file inclusion vulnerability in MyNews 4.2.2 and prior versions. By manipulating the 'myNewsConf[path][sys][index]' parameter, an attacker can include and execute arbitrary remote PHP files, leading to remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: MyNews 4.2.2 and prior versions
No auth needed
Prerequisites: Remote file with malicious PHP code · Web server with MyNews installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/37425
Various Sources x_refsource_misc
http://hackberry.ath.cx/research/3.txt
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/1317

Scores

EPSS 0.0227
EPSS Percentile 80.9%

Details

Status published
Products (1)
mynews/mynews 4.2.2
Published Apr 12, 2007
Tracked Since Feb 18, 2026