EIP-2026-106260

This exploit demonstrates an arbitrary file deletion vulnerability in CSZ CMS 1.2.9, where unsanitized user input in the 'del_file' and 'del_file2' parameters allows deletion of any file accessible by the PHP process. The PoC includes HTTP requests showing how to delete files like 'conf_secret_file.php' and 'config_backup.txt' via directory traversal.