CVE-2021-39433

HIGH NUCLEI

biqsdrive < 1.83 - Local File Inclusion via Download Endpoint File Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-39433. PoCs published by PinkDraconian. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository provides a functional proof-of-concept for CVE-2021-39433, demonstrating a local file inclusion (LFI) vulnerability in BIQS IT Biqs-drive v1.83 and below. The exploit uses a crafted HTTP request to read arbitrary files from the server via a path traversal attack.

Description

A local file inclusion (LFI) vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user.

Exploits (1)

nomisec WORKING POC 5 stars
by PinkDraconian · poc
https://github.com/PinkDraconian/CVE-2021-39433

The repository provides a functional proof-of-concept for CVE-2021-39433, demonstrating a local file inclusion (LFI) vulnerability in BIQS IT Biqs-drive v1.83 and below. The exploit uses a crafted HTTP request to read arbitrary files from the server via a path traversal attack.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: BIQS IT Biqs-drive v1.83 and below
No auth needed
Prerequisites: Access to the target server's download/index.php endpoint
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

BIQS IT Biqs-drive v1.83 Local File Inclusion
HIGHby Veshraj

References (2)

Core 2
Core References
Broken Link x_refsource_misc
https://biqs-drive.be/

Scores

CVSS v3 7.5
EPSS 0.0845
EPSS Percentile 94.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

Status published
Products (1)
biqs/biqsdrive < 1.83
Published Oct 04, 2021
Tracked Since Feb 18, 2026