EIP-2026-110812

PRE-CVE

PHP-Fusion 9.03.50 - 'Edit Profile' Arbitrary File Upload

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-110812. PoCs published by Besim.

AI-analyzed exploit summary This is a technical analysis of an arbitrary file upload vulnerability in PHP-Fusion 9.03.50, where the 'Edit Profile' feature fails to validate file extensions, allowing PHP files to be uploaded as avatars. The vulnerable code section in UserFieldsInput.inc is highlighted, showing the lack of proper file extension checks.

Description

PHP-Fusion 9.03.50 - 'Edit Profile' Arbitrary File Upload

Exploits (1)

exploitdb WRITEUP

by Besim · textwebappsphp

https://www.exploit-db.com/exploits/48381

View Code ZIP pw:eip

This is a technical analysis of an arbitrary file upload vulnerability in PHP-Fusion 9.03.50, where the 'Edit Profile' feature fails to validate file extensions, allowing PHP files to be uploaded as avatars. The vulnerable code section in UserFieldsInput.inc is highlighted, showing the lack of proper file extension checks.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: PHP-Fusion v9.03.50

Auth required

Prerequisites: User authentication · Access to the 'Edit Profile' feature

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1204 - User Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026