CVE-2019-16123

HIGH NUCLEI

Kartatopia PilusCart <1.4.1 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-16123. PoCs published by Damian Ebelties. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a Local File Disclosure vulnerability in PilusCart <= 1.4.1 due to improper validation of the 'filename' parameter in catalog.php. The PoC shows how an attacker can read arbitrary files by traversing directories.

Description

In Kartatopia PilusCart 1.4.1, the parameter filename in the file catalog.php is mishandled, leading to ../ Local File Disclosure.

Exploits (1)

exploitdb WORKING POC

by Damian Ebelties · textwebappsphp

https://www.exploit-db.com/exploits/47315

View Code ZIP pw:eip

This exploit demonstrates a Local File Disclosure vulnerability in PilusCart <= 1.4.1 due to improper validation of the 'filename' parameter in catalog.php. The PoC shows how an attacker can read arbitrary files by traversing directories.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: PilusCart <= 1.4.1

No auth needed

Prerequisites: Access to the vulnerable endpoint (catalog.php)

MITRE ATT&CK

T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

PilusCart <=1.4.1 - Local File Inclusion

HIGHby 0x_Akoko

References (2)

Core 2

Core References

Third Party Advisory, URL Repurposed x_refsource_misc

https://zerodays.lol/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/47315

Scores

CVSS v3 7.5

EPSS 0.1648

EPSS Percentile 96.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (1)

kartatopia/piluscart < 1.4.1

Published Sep 09, 2019

Tracked Since Feb 18, 2026