EIP-2026-105524

PRE-CVE

Blog:CMS 4.1 - 'Thumb.php' Remote File Inclusion

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-105524. PoCs published by EllipSiS Security.

AI-analyzed exploit summary The provided text describes a remote file inclusion vulnerability in Blog:CMS, where unsanitized user input in the 'gallery' and 'image' parameters of thumb.php allows arbitrary remote file inclusion. This can lead to remote code execution in the context of the webserver process.

Description

Blog:CMS 4.1 - 'Thumb.php' Remote File Inclusion

Exploits (1)

exploitdb WRITEUP VERIFIED

by EllipSiS Security · textwebappsphp

https://www.exploit-db.com/exploits/28168

View Code ZIP pw:eip

The provided text describes a remote file inclusion vulnerability in Blog:CMS, where unsanitized user input in the 'gallery' and 'image' parameters of thumb.php allows arbitrary remote file inclusion. This can lead to remote code execution in the context of the webserver process.

Classification

Writeup 80%

Attack Type

Rce

Complexity

Trivial

Reliability

Theoretical

Target: Blog:CMS (version not specified)

No auth needed

Prerequisites: Access to the vulnerable thumb.php endpoint · Ability to host or reference a malicious PHP script

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026