EIP-2026-113052

PRE-CVE

Velhost Uploader Script 1.2 - Local File Inclusion

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113052. PoCs published by cr4wl3r.

AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in velhost uploader script v1.2. The vulnerability arises from unsanitized user input in the 'language' parameter, allowing an attacker to read arbitrary files on the server via directory traversal.

Description

Velhost Uploader Script 1.2 - Local File Inclusion

Exploits (1)

exploitdb WORKING POC

by cr4wl3r · textwebappsphp

https://www.exploit-db.com/exploits/12019

View Code ZIP pw:eip

This exploit demonstrates a Local File Inclusion (LFI) vulnerability in velhost uploader script v1.2. The vulnerability arises from unsanitized user input in the 'language' parameter, allowing an attacker to read arbitrary files on the server via directory traversal.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: velhost uploader script v1.2

No auth needed

Prerequisites: Access to the vulnerable upload.php endpoint

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026