EIP-2026-106260

PRE-CVE

CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-106260. PoCs published by faisalfs10x.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file deletion vulnerability in CSZ CMS 1.2.9, where unsanitized user input in the 'del_file' and 'del_file2' parameters allows deletion of any file accessible by the PHP process. The PoC includes HTTP requests showing how to delete files like 'conf_secret_file.php' and 'config_backup.txt' via directory traversal.

Description

CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion

Exploits (1)

exploitdb WORKING POC

by faisalfs10x · textwebappsphp

https://www.exploit-db.com/exploits/50148

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file deletion vulnerability in CSZ CMS 1.2.9, where unsanitized user input in the 'del_file' and 'del_file2' parameters allows deletion of any file accessible by the PHP process. The PoC includes HTTP requests showing how to delete files like 'conf_secret_file.php' and 'config_backup.txt' via directory traversal.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: CSZ CMS 1.2.9

Auth required

Prerequisites: Admin access to the CSZ CMS application · Knowledge of target file paths

MITRE ATT&CK

T1003 - OS Credential Dumping T1070.004 - File Deletion

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026