CVE-2012-2226

CRITICAL

Invision Power Board < 3.3.1 - Unauthenticated Arbitrary File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-2226. PoCs published by waraxe.

AI-analyzed exploit summary This advisory details a Local File Inclusion (LFI) vulnerability in Invision Power Board 3.3.0 and 3.2.3, where unsanitized user input in the 'key' parameter of 'like.php' can lead to remote file disclosure or PHP code execution. The exploit requires authentication and PHP < 5.3.4 for null-byte attacks.

Description

Invision Power Board before 3.3.1 fails to sanitize user-supplied input which could allow remote attackers to obtain sensitive information or execute arbitrary code by uploading a malicious file.

Exploits (1)

exploitdb WRITEUP

by waraxe · textwebappsphp

https://www.exploit-db.com/exploits/18736

View Code ZIP pw:eip

This advisory details a Local File Inclusion (LFI) vulnerability in Invision Power Board 3.3.0 and 3.2.3, where unsanitized user input in the 'key' parameter of 'like.php' can lead to remote file disclosure or PHP code execution. The exploit requires authentication and PHP < 5.3.4 for null-byte attacks.

Classification

Writeup 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Invision Power Board 3.3.0, 3.2.3

Auth required

Prerequisites: Valid user account · PHP version < 5.3.4

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/52998

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/74855

Scores

CVSS v3 9.8

EPSS 0.1303

EPSS Percentile 94.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

invisioncommunity/invision_power_board < 3.3.1

Published Jan 09, 2020

Tracked Since Feb 18, 2026