CVE-2009-2331

CMS Chainuk < 1.2 - Remote PHP Code Injection via Menu or Title Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-2331. PoCs published by eLwaux.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in CMS Chainuk <= v1.2, including Local File Inclusion (LFI), arbitrary file deletion, XSS, and remote code execution (RCE) via file inclusion and PHP code injection. The PoC provides specific exploit paths and payloads for each vulnerability.

Description

Multiple static code injection vulnerabilities in CMS Chainuk 1.2 and earlier allow remote attackers to inject arbitrary PHP code (1) into settings.php via the menu parameter to admin_settings.php or (2) into a content/=NUMBER.php file via the title parameter to admin_new.php.

Exploits (1)

exploitdb WORKING POC VERIFIED
by eLwaux · textwebappsphp
https://www.exploit-db.com/exploits/9069

The exploit demonstrates multiple vulnerabilities in CMS Chainuk <= v1.2, including Local File Inclusion (LFI), arbitrary file deletion, XSS, and remote code execution (RCE) via file inclusion and PHP code injection. The PoC provides specific exploit paths and payloads for each vulnerability.

Classification
Working Poc 95%
Attack Type
Rce | Lfi | Xss | Info Leak
Complexity
Trivial
Reliability
Reliable
Target: CMS Chainuk <= v1.2
No auth needed
Prerequisites: Access to the target web application · PHP execution environment
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/9069
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/55672
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/55673

Scores

EPSS 0.0240
EPSS Percentile 81.8%

Details

CWE
CWE-94
Status published
Products (1)
cms.tut.su/cms_chainuk < 1.2
Published Jul 05, 2009
Tracked Since Feb 18, 2026