EIP-2026-111828

This is a vulnerability writeup detailing Local File Inclusion (LFI) and Modules Authorization Weakness in RunCMS versions 1.6 Halloween and 1.5.x. The LFI vulnerability allows remote code execution by manipulating the `xoopsOption[pagetype]` parameter, while the authorization weakness permits unauthorized access to module admin areas.