EIP-2026-112007

PRE-CVE

sFileManager 24a - Local File Inclusion

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-112007. PoCs published by Pepelux.

AI-analyzed exploit summary The writeup details a local file inclusion vulnerability in sFileManager <= v.24a, where the 'filename' parameter in 'fm.php' is not properly sanitized, allowing directory traversal attacks to read arbitrary files. The 'pathext' parameter is protected against traversal, but the 'filename' parameter bypasses this check.

Description

sFileManager 24a - Local File Inclusion

Exploits (1)

exploitdb WRITEUP

by Pepelux · textwebappsphp

https://www.exploit-db.com/exploits/14643

View Code ZIP pw:eip

The writeup details a local file inclusion vulnerability in sFileManager <= v.24a, where the 'filename' parameter in 'fm.php' is not properly sanitized, allowing directory traversal attacks to read arbitrary files. The 'pathext' parameter is protected against traversal, but the 'filename' parameter bypasses this check.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: sFileManager <= v.24a

No auth needed

Prerequisites: Access to the 'fm.php' endpoint

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026