EIP-2026-100860

PRE-CVE

mnoGoSearch 3.3.12 (search.cgi) - Arbitrary File Read

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-100860. PoCs published by Sergey Bobrov.

AI-analyzed exploit summary This advisory describes an arbitrary file reading vulnerability in mnoGoSearch 3.3.12 and earlier, where the 'd' parameter can be manipulated to include arbitrary files via template injection. The exploit leverages the QUERY_STRING and PATH_INFO to read sensitive files like /etc/passwd.

Description

mnoGoSearch 3.3.12 (search.cgi) - Arbitrary File Read

Exploits (1)

exploitdb WRITEUP

by Sergey Bobrov · textwebappscgi

https://www.exploit-db.com/exploits/24630

View Code ZIP pw:eip

This advisory describes an arbitrary file reading vulnerability in mnoGoSearch 3.3.12 and earlier, where the 'd' parameter can be manipulated to include arbitrary files via template injection. The exploit leverages the QUERY_STRING and PATH_INFO to read sensitive files like /etc/passwd.

Classification

Writeup 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: mnoGoSearch <= 3.3.12

No auth needed

Prerequisites: mnoGoSearch running in CGI mode · access to the search.cgi endpoint

MITRE ATT&CK

T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026