EIP-2026-109486

PRE-CVE

miniCWB 1.0.0 - 'contact.php' Local File Inclusion

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-109486. PoCs published by Kacper.

AI-analyzed exploit summary This exploit targets a Local File Include (LFI) vulnerability in Mini Open CMS v1.0.0, leveraging log file poisoning to achieve remote code execution (RCE). It injects malicious PHP code into server logs and then includes the log file via a manipulated session variable.

Description

miniCWB 1.0.0 - 'contact.php' Local File Inclusion

Exploits (1)

exploitdb WORKING POC VERIFIED

by Kacper · phpwebappsphp

https://www.exploit-db.com/exploits/2796

View Code ZIP pw:eip

This exploit targets a Local File Include (LFI) vulnerability in Mini Open CMS v1.0.0, leveraging log file poisoning to achieve remote code execution (RCE). It injects malicious PHP code into server logs and then includes the log file via a manipulated session variable.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Mini Open CMS v1.0.0

No auth needed

Prerequisites: register_globals=On · writable log files · predictable log file paths

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026