EIP-2026-111516

PRE-CVE

Processwire CMS 2.4.0 - 'download' Local File Inclusion

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-111516. PoCs published by Y1LD1R1M.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated Local File Inclusion (LFI) vulnerability in Processwire CMS 2.4.0. By manipulating the 'download' parameter in index.php, an attacker can retrieve arbitrary files from the server, such as /etc/passwd or config.php.

Description

Processwire CMS 2.4.0 - 'download' Local File Inclusion

Exploits (1)

exploitdb WORKING POC

by Y1LD1R1M · textwebappsphp

https://www.exploit-db.com/exploits/48986

View Code ZIP pw:eip

This exploit demonstrates an unauthenticated Local File Inclusion (LFI) vulnerability in Processwire CMS 2.4.0. By manipulating the 'download' parameter in index.php, an attacker can retrieve arbitrary files from the server, such as /etc/passwd or config.php.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Processwire CMS 2.4.0

No auth needed

Prerequisites: Access to the target URL

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026