EIP-2026-112480

The exploit demonstrates a command injection vulnerability in sumon <= 0.7.0, where user-controlled input via the 'host' or 'fichero_post' parameters is passed unsanitized to system commands (passthru/exec). Multiple endpoints (chg.php, stats.php, showfile.php, difffile.php) are vulnerable to remote command execution.