CVE-2018-19246

HIGH

php-proxy 5.1.0 - Unauthenticated Local File Read via Default Config Key

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-19246. PoCs published by Ameer Pornillos, NeoWans.

AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in PHP-Proxy 5.1.0 by generating an encrypted string using a default app_key and IP address, which can then be used to read arbitrary local files on the server.

Description

PHP-Proxy 5.1.0 allows remote attackers to read local files if the default "pre-installed version" (intended for users who lack shell access to their web server) is used. This occurs because the aeb067ca0aa9a3193dce3a7264c90187 app_key value from the default config.php is in place, and this value can be easily used to calculate the authorization data needed for local file inclusion.

Exploits (2)

exploitdb WORKING POC
by Ameer Pornillos · textwebappsphp
https://www.exploit-db.com/exploits/45861

This exploit demonstrates a Local File Inclusion (LFI) vulnerability in PHP-Proxy 5.1.0 by generating an encrypted string using a default app_key and IP address, which can then be used to read arbitrary local files on the server.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: PHP-Proxy 5.1.0
No auth needed
Prerequisites: Access to the target PHP-Proxy instance · Knowledge of the default app_key
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by NeoWans · poc
https://github.com/NeoWans/CVE-2018-19246

This repository contains a proof-of-concept exploit for CVE-2018-19246, a local file inclusion vulnerability in PHP-Proxy 5.1.0. The exploit leverages a default app_key to generate encrypted strings that allow access to arbitrary local files on the server.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: PHP-Proxy 5.1.0
No auth needed
Prerequisites: Network access to the target server · PHP-Proxy 5.1.0 with default app_key
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45861/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/Athlon1600/php-proxy-app/issues/134

Scores

CVSS v3 7.5
EPSS 0.4596
EPSS Percentile 97.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (2)
athlon1600/php-proxy 0Packagist
php-proxy/php-proxy 5.1.0
Published Nov 13, 2018
Tracked Since Feb 18, 2026