EIP-2026-110266

PRE-CVE

opencart 1.5.2.1 - Multiple Vulnerabilities

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-110266. PoCs published by waraxe.

AI-analyzed exploit summary The exploit demonstrates a Local File Inclusion (LFI) vulnerability in OpenCart 1.5.2.1 via directory traversal using backslashes on Windows systems, and an Arbitrary File Upload vulnerability by bypassing file extension checks with null bytes. Both vulnerabilities can lead to remote code execution under specific conditions.

Description

opencart 1.5.2.1 - Multiple Vulnerabilities

Exploits (1)

exploitdb WORKING POC VERIFIED

by waraxe · textwebappsphp

https://www.exploit-db.com/exploits/18813

View Code ZIP pw:eip

The exploit demonstrates a Local File Inclusion (LFI) vulnerability in OpenCart 1.5.2.1 via directory traversal using backslashes on Windows systems, and an Arbitrary File Upload vulnerability by bypassing file extension checks with null bytes. Both vulnerabilities can lead to remote code execution under specific conditions.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenCart 1.5.2.1

No auth needed

Prerequisites: Windows platform · PHP version < 5.3.4 for null-byte attacks

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026