CVE-2009-2095

Mundi Mail 0.8.2 - Remote Code Execution via Top Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-2095. PoCs published by Br0ly.

AI-analyzed exploit summary This is a writeup describing a Local/Remote File Inclusion vulnerability in Mundi Mail. The vulnerability is due to unsafe inclusion of user-controlled input in the 'top' parameter without proper sanitization.

Description

PHP remote file inclusion vulnerability in template/simpledefault/admin/_masterlayout.php in Mundi Mail 0.8.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the top parameter. NOTE: when allow_url_fopen is disabled, directory traversal attacks are possible to include and execute arbitrary local files.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Br0ly · textwebappsphp
https://www.exploit-db.com/exploits/8948

This is a writeup describing a Local/Remote File Inclusion vulnerability in Mundi Mail. The vulnerability is due to unsafe inclusion of user-controlled input in the 'top' parameter without proper sanitization.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Mundi Mail (version not specified)
No auth needed
Prerequisites: allow_url_fopen=on (for RFI) · magic_quotes_gpc=off (for LFI) · register_globals=on
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/8948

Scores

EPSS 0.0174
EPSS Percentile 74.8%

Details

CWE
CWE-94
Status published
Products (1)
mundi_king/mundi_mail 0.8.2
Published Jun 17, 2009
Tracked Since Feb 18, 2026