EIP-2026-110337

PRE-CVE

OrangeHRM 2.6.3 - 'PluginController.php' Local File Inclusion

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-110337. PoCs published by AutoSec Tools.

AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in OrangeHRM 2.6.3 by traversing directories to access arbitrary files (e.g., `windows/win.ini`). The PoC uses path traversal sequences (`..%2f`) and a null byte (`%00`) to bypass restrictions.

Description

OrangeHRM 2.6.3 - 'PluginController.php' Local File Inclusion

Exploits (1)

exploitdb WORKING POC

by AutoSec Tools · textwebappsphp

https://www.exploit-db.com/exploits/17212

View Code ZIP pw:eip

This exploit demonstrates a Local File Inclusion (LFI) vulnerability in OrangeHRM 2.6.3 by traversing directories to access arbitrary files (e.g., `windows/win.ini`). The PoC uses path traversal sequences (`..%2f`) and a null byte (`%00`) to bypass restrictions.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: OrangeHRM 2.6.3

No auth needed

Prerequisites: Network access to the target application · OrangeHRM 2.6.3 installed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026