CVE-2007-2899

NavBoard 2.6.0 - Remote Code Execution via admin_config.php Parameter Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-2899. PoCs published by Dj7xpl.

AI-analyzed exploit summary This exploit targets a remote code execution vulnerability in NavBoard 2.6.0 by manipulating the 'editconfig' parameter and injecting malicious input into configuration fields. The PoC demonstrates how arbitrary code can be executed by leveraging improper input validation in the admin configuration page.

Description

Direct static code injection vulnerability in admin_config.php in NavBoard 2.6.0 allows remote attackers to inject arbitrary PHP code into data/config.php via multiple parameters, as demonstrated via the threadperpage parameter in an editconfig action.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Dj7xpl · phpwebappsphp
https://www.exploit-db.com/exploits/3971

This exploit targets a remote code execution vulnerability in NavBoard 2.6.0 by manipulating the 'editconfig' parameter and injecting malicious input into configuration fields. The PoC demonstrates how arbitrary code can be executed by leveraging improper input validation in the admin configuration page.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: NavBoard 2.6.0
Auth required
Prerequisites: Access to admin panel · Valid admin credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/42118
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/34472
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/3971
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/24120

Scores

EPSS 0.0231
EPSS Percentile 81.1%

Details

CWE
CWE-94
Status published
Products (1)
navboard/navboard 16
Published May 30, 2007
Tracked Since Feb 18, 2026