EIP-2026-105645

PRE-CVE

Built2Go PHP Rate My Photo 1.46.4 - Arbitrary File Upload

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-105645. PoCs published by ZoRLu.

AI-analyzed exploit summary This exploit leverages a file upload vulnerability in Built2Go PHP Rate My Photo v1.46.4 by disguising a PHP shell as a GIF file (GIF89a header) to achieve remote code execution (RCE). The attacker uploads the malicious file via the member.php interface, bypassing file type restrictions.

Description

Built2Go PHP Rate My Photo 1.46.4 - Arbitrary File Upload

Exploits (1)

exploitdb WORKING POC VERIFIED

by ZoRLu · textwebappsphp

https://www.exploit-db.com/exploits/7645

View Code ZIP pw:eip

This exploit leverages a file upload vulnerability in Built2Go PHP Rate My Photo v1.46.4 by disguising a PHP shell as a GIF file (GIF89a header) to achieve remote code execution (RCE). The attacker uploads the malicious file via the member.php interface, bypassing file type restrictions.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Built2Go PHP Rate My Photo v1.46.4

Auth required

Prerequisites: Valid user account on the target system · Access to the file upload functionality

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026