EIP-2026-106074

PRE-CVE

CometChat < 6.2.0 BETA 1 - Local File Inclusion

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-106074. PoCs published by Paradoxis.

AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in CometChat < v6.2.0 BETA 1 via the 'cc_lang' cookie. An attacker can manipulate the include path to execute arbitrary PHP code, potentially leading to remote code execution (RCE) if a malicious file is uploaded to the server.

Description

CometChat < 6.2.0 BETA 1 - Local File Inclusion

Exploits (1)

exploitdb WORKING POC

by Paradoxis · textwebappsphp

https://www.exploit-db.com/exploits/43027

View Code ZIP pw:eip

This exploit demonstrates a Local File Inclusion (LFI) vulnerability in CometChat < v6.2.0 BETA 1 via the 'cc_lang' cookie. An attacker can manipulate the include path to execute arbitrary PHP code, potentially leading to remote code execution (RCE) if a malicious file is uploaded to the server.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: CometChat < v6.2.0 BETA 1

No auth needed

Prerequisites: Ability to set cookies in HTTP requests · Presence of a malicious file on the server (e.g., via upload functionality)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026