EIP-2026-106224

This exploit demonstrates a two-stage attack against cPassMan v1.82: an unauthenticated arbitrary file upload followed by a local file inclusion (LFI) to achieve remote command execution (RCE). The PoC uploads a malicious PHP file and then includes it via a poison null byte in the user_language cookie.