CVE-2020-8641

HIGH NUCLEI

Lotus Core CMS 1.0.1 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-8641. PoCs published by Daniel Monzón. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in Lotus Core CMS 1.0.1 due to unsanitized user input in the 'page_slug' parameter. The exploit uses a null byte to bypass the '.php' extension check, allowing arbitrary file inclusion.

Description

Lotus Core CMS 1.0.1 allows authenticated Local File Inclusion of .php files via directory traversal in the index.php page_slug parameter.

Exploits (1)

exploitdb WORKING POC

by Daniel Monzón · textwebappsphp

https://www.exploit-db.com/exploits/47985

View Code ZIP pw:eip

This exploit demonstrates a Local File Inclusion (LFI) vulnerability in Lotus Core CMS 1.0.1 due to unsanitized user input in the 'page_slug' parameter. The exploit uses a null byte to bypass the '.php' extension check, allowing arbitrary file inclusion.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Lotus Core CMS 1.0.1

Auth required

Prerequisites: Authentication credentials · Access to the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Lotus Core CMS 1.0.1 - Local File Inclusion

HIGHby 0x_Akoko

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/47985

Scores

CVSS v3 8.8

EPSS 0.1081

EPSS Percentile 95.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (1)

lotus_core_cms_project/lotus_core_cms 1.0.1

Published Feb 05, 2020

Tracked Since Feb 18, 2026