EIP-2026-112594

PRE-CVE

TenderSystem 0.9.5 - 'main.php' Multiple Local File Inclusions

Title source: legacy
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-112594. PoCs published by Packetdeath.

AI-analyzed exploit summary The code describes a local file inclusion (LFI) vulnerability in TenderSystem 0.9.5 Beta, where unsanitized user input allows attackers to include arbitrary local files via path traversal sequences. The provided URI examples demonstrate the exploitation of the 'module' and 'function' parameters to access sensitive files like 'boot.ini'.

Description

TenderSystem 0.9.5 - 'main.php' Multiple Local File Inclusions

Exploits (1)

exploitdb WRITEUP VERIFIED
by Packetdeath · textwebappsphp
https://www.exploit-db.com/exploits/34354

The code describes a local file inclusion (LFI) vulnerability in TenderSystem 0.9.5 Beta, where unsanitized user input allows attackers to include arbitrary local files via path traversal sequences. The provided URI examples demonstrate the exploitation of the 'module' and 'function' parameters to access sensitive files like 'boot.ini'.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: TenderSystem 0.9.5 Beta
No auth needed
Prerequisites: Access to the vulnerable web application
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve
Tracked Since Feb 18, 2026