EIP-2026-107128

PRE-CVE

Flatnuke 2.5.8 - 'userlang' Local Inclusion / Delete All Users

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-107128. PoCs published by rgod.

AI-analyzed exploit summary This exploit targets Flatnuke 2.5.8 by leveraging arbitrary local file inclusion via the 'userlang' cookie to delete all user accounts. It automates user registration, login, and deletion through crafted HTTP requests.

Description

Flatnuke 2.5.8 - 'userlang' Local Inclusion / Delete All Users

Exploits (1)

exploitdb WORKING POC VERIFIED

by rgod · phpwebappsphp

https://www.exploit-db.com/exploits/2499

View Code ZIP pw:eip

This exploit targets Flatnuke 2.5.8 by leveraging arbitrary local file inclusion via the 'userlang' cookie to delete all user accounts. It automates user registration, login, and deletion through crafted HTTP requests.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Flatnuke 2.5.8

No auth needed

Prerequisites: Target must be running Flatnuke 2.5.8 · Access to the target server's web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026