EIP-2026-105983

This exploit demonstrates a Local File Inclusion (LFI) vulnerability in CMS Made Simple 1.8 by manipulating the 'default_cms_lang' parameter to traverse directories and include arbitrary files. The PoC sends a crafted POST request to '/admin/addbookmark.php' with a payload designed to access 'windows/win.ini'.