CVE-2009-4626

phpNagios 1.2.0 - Remote File Inclusion via menu.php conf[lang] Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4626. PoCs published by CoBRa_21.

AI-analyzed exploit summary The exploit describes a Local File Inclusion (LFI) vulnerability in phpNagios v1.2.0 due to improper input validation in the 'conf[lang]' parameter in menu.php. The vulnerability allows an attacker to include arbitrary local files by manipulating the parameter.

Description

Directory traversal vulnerability in menu.php in phpNagios 1.2.0 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the conf[lang] parameter.

Exploits (1)

exploitdb WRITEUP VERIFIED

by CoBRa_21 · textwebappsphp

https://www.exploit-db.com/exploits/9611

View Code ZIP pw:eip

The exploit describes a Local File Inclusion (LFI) vulnerability in phpNagios v1.2.0 due to improper input validation in the 'conf[lang]' parameter in menu.php. The vulnerability allows an attacker to include arbitrary local files by manipulating the parameter.

Classification

Writeup 90%

Attack Type

Lfi

Complexity

Trivial

Reliability

Reliable

Target: phpNagios v1.2.0

No auth needed

Prerequisites: Access to the vulnerable phpNagios instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/53119

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/2615

Exploit, Third Party Advisory exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/9611

Scores

EPSS 0.0251

EPSS Percentile 82.7%

Details

CWE

CWE-22

Status published

Products (1)

phpnagios/phpnagios 1.2.0

Published Jan 18, 2010

Tracked Since Feb 18, 2026