EIP-2026-109150

PRE-CVE

Limonade Framework - 'limonade.php' Local File Disclosure

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-109150. PoCs published by Yashar shahinzadeh.

AI-analyzed exploit summary This PHP script exploits a local file disclosure vulnerability in the Limonade framework by bypassing input sanitization through directory traversal sequences. It uses cURL to send crafted POST requests with incremental path traversal payloads to retrieve sensitive files.

Description

Limonade Framework - 'limonade.php' Local File Disclosure

Exploits (1)

exploitdb WORKING POC VERIFIED

by Yashar shahinzadeh · phpwebappsphp

https://www.exploit-db.com/exploits/38828

View Code ZIP pw:eip

This PHP script exploits a local file disclosure vulnerability in the Limonade framework by bypassing input sanitization through directory traversal sequences. It uses cURL to send crafted POST requests with incremental path traversal payloads to retrieve sensitive files.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Limonade framework 3.0

No auth needed

Prerequisites: Target URL with vulnerable Limonade framework · Parameter susceptible to path traversal · Needle string to confirm successful exploitation

MITRE ATT&CK

T1005 - Data from Local System T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026