EIP-2026-105067

PRE-CVE

Album Photo Sans Nom 1.6 - 'Getimg.php' Remote File Inclusion

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-105067. PoCs published by DarkFig.

AI-analyzed exploit summary The exploit demonstrates a remote file inclusion vulnerability in Album Photo Sans Nom 1.6 by manipulating the 'img' parameter in getimg.php to include arbitrary remote files. This can lead to remote code execution if the attacker controls the included file.

Description

Album Photo Sans Nom 1.6 - 'Getimg.php' Remote File Inclusion

Exploits (1)

exploitdb WORKING POC VERIFIED

by DarkFig · textwebappsphp

https://www.exploit-db.com/exploits/28779

View Code ZIP pw:eip

The exploit demonstrates a remote file inclusion vulnerability in Album Photo Sans Nom 1.6 by manipulating the 'img' parameter in getimg.php to include arbitrary remote files. This can lead to remote code execution if the attacker controls the included file.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Album Photo Sans Nom 1.6

No auth needed

Prerequisites: Network access to the target application · Ability to host a malicious file on a remote server

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026