EIP-2026-106386

PRE-CVE

DCP-Portal 5.0.1 - 'editor.php?Root' Remote File Inclusion

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-106386. PoCs published by frog.

AI-analyzed exploit summary The code describes a remote file inclusion (RFI) vulnerability in DCP-Portal, where an attacker can include arbitrary remote files via the 'root' parameter in 'editor.php'. This could lead to remote code execution (RCE) if the included file contains malicious PHP code.

Description

DCP-Portal 5.0.1 - 'editor.php?Root' Remote File Inclusion

Exploits (1)

exploitdb WRITEUP VERIFIED

by frog · textwebappsphp

https://www.exploit-db.com/exploits/22126

View Code ZIP pw:eip

The code describes a remote file inclusion (RFI) vulnerability in DCP-Portal, where an attacker can include arbitrary remote files via the 'root' parameter in 'editor.php'. This could lead to remote code execution (RCE) if the included file contains malicious PHP code.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: DCP-Portal

No auth needed

Prerequisites: Access to the vulnerable 'editor.php' endpoint · Ability to host a malicious file on an attacker-controlled server

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026