EIP-2026-108918

PRE-CVE

Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated)

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-108918. PoCs published by Mehmet Kelepçe.

AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in Joomla! Plugin XCloner Backup 3.5.3. The vulnerability allows an authenticated attacker to read arbitrary files on the server by manipulating the 'file' parameter in the download task.

Description

Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated)

Exploits (1)

exploitdb WORKING POC

by Mehmet Kelepçe · textwebappsphp

https://www.exploit-db.com/exploits/48518

View Code ZIP pw:eip

This exploit demonstrates a Local File Inclusion (LFI) vulnerability in Joomla! Plugin XCloner Backup 3.5.3. The vulnerability allows an authenticated attacker to read arbitrary files on the server by manipulating the 'file' parameter in the download task.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Joomla! Plugin XCloner Backup 3.5.3

Auth required

Prerequisites: Authenticated access to the Joomla administrator panel

MITRE ATT&CK

T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026