EIP-2026-105751
PRE-CVECart Engine 3.0.0 - 'task.php' Local File Inclusion
Title source: legacyExploitation Summary
EIP tracks 1 public exploit for EIP-2026-105751. PoCs published by LiquidWorm.
AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in Cart Engine 3.0.0 via the 'run' parameter in task.php. The vulnerability allows authenticated attackers to include arbitrary local files using directory traversal sequences.
Description
Cart Engine 3.0.0 - 'task.php' Local File Inclusion
Exploits (1)
exploitdb
WORKING POC
by LiquidWorm · textwebappsphp
https://www.exploit-db.com/exploits/32504
This exploit demonstrates a Local File Inclusion (LFI) vulnerability in Cart Engine 3.0.0 via the 'run' parameter in task.php. The vulnerability allows authenticated attackers to include arbitrary local files using directory traversal sequences.
Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target:
Cart Engine 3.0.0
Auth required
Prerequisites:
Authenticated access to the admin panel
devstral-2 · analyzed Feb 16, 2026
Full analysis →
Details
Status
pre_cve
Tracked Since
Feb 18, 2026