CVE-2016-4806

HIGH

web2py < 2.14.5 - Local File Inclusion

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-4806. PoCs published by Narendra Bhati.

AI-analyzed exploit summary This is a detailed technical writeup describing multiple vulnerabilities (LFI, XSS, CSRF) in Web2py 2.14.5, including proof-of-concept steps, HTTP request examples, and references to external resources like video PoCs and detailed analysis.

Description

Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Narendra Bhati · textwebappspython
https://www.exploit-db.com/exploits/39821

This is a detailed technical writeup describing multiple vulnerabilities (LFI, XSS, CSRF) in Web2py 2.14.5, including proof-of-concept steps, HTTP request examples, and references to external resources like video PoCs and detailed analysis.

Classification
Writeup 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Web2py 2.14.5
Auth required
Prerequisites: Administrator access to the Web2py admin interface
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39821/

Scores

CVSS v3 7.5
EPSS 0.1008
EPSS Percentile 95.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
web2py/web2py < 2.14.5
Published Jan 11, 2017
Tracked Since Feb 18, 2026