EIP-2026-112841

PRE-CVE

u5CMS 3.9.3 - 'thumb.php' Local File Inclusion

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-112841. PoCs published by LiquidWorm.

AI-analyzed exploit summary The document describes a Local File Inclusion (LFI) vulnerability in u5CMS 3.9.3 and 3.9.2, where the 'f' parameter in thumb.php is not properly sanitized, allowing directory traversal attacks. It includes example HTTP requests demonstrating the exploit.

Description

u5CMS 3.9.3 - 'thumb.php' Local File Inclusion

Exploits (1)

exploitdb WRITEUP

by LiquidWorm · textwebappsphp

https://www.exploit-db.com/exploits/36028

View Code ZIP pw:eip

The document describes a Local File Inclusion (LFI) vulnerability in u5CMS 3.9.3 and 3.9.2, where the 'f' parameter in thumb.php is not properly sanitized, allowing directory traversal attacks. It includes example HTTP requests demonstrating the exploit.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: u5CMS 3.9.3 and 3.9.2

Auth required

Prerequisites: Authenticated access to the application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026