EIP-2026-112597

PRE-CVE

tenrok 1.1.0 - File Disclosure / Remote Code Execution

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-112597. PoCs published by SirGod.

AI-analyzed exploit summary This exploit demonstrates a Remote Command Execution (RCE) vulnerability in Tenrok 1.1.0 by injecting PHP code into the 'Title' field of post.php, which is then executed via the 'cmd' parameter in display.php. It also includes a Users Data Disclosure vulnerability via direct access to userpwd.txt.

Description

tenrok 1.1.0 - File Disclosure / Remote Code Execution

Exploits (1)

exploitdb WORKING POC VERIFIED

by SirGod · textwebappsphp

https://www.exploit-db.com/exploits/9367

View Code ZIP pw:eip

This exploit demonstrates a Remote Command Execution (RCE) vulnerability in Tenrok 1.1.0 by injecting PHP code into the 'Title' field of post.php, which is then executed via the 'cmd' parameter in display.php. It also includes a Users Data Disclosure vulnerability via direct access to userpwd.txt.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Tenrok 1.1.0

Auth required

Prerequisites: Authenticated access to the application · Ability to submit a post with malicious PHP code

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026