EIP-2026-113438

PRE-CVE

Wili-CMS 0.4.0 - Local File Inclusion / Remote File Inclusion / Authentication Bypass

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113438. PoCs published by Salvatore Fresta.

AI-analyzed exploit summary This exploit demonstrates two vulnerabilities in Wili-CMS 0.4.0: a remote/local file inclusion flaw allowing command execution via crafted HTTP requests, and an authentication bypass using SQL injection. The PoC includes functional exploit code for both issues.

Description

Wili-CMS 0.4.0 - Local File Inclusion / Remote File Inclusion / Authentication Bypass

Exploits (1)

exploitdb WORKING POC VERIFIED

by Salvatore Fresta · textwebappsphp

https://www.exploit-db.com/exploits/8166

View Code ZIP pw:eip

This exploit demonstrates two vulnerabilities in Wili-CMS 0.4.0: a remote/local file inclusion flaw allowing command execution via crafted HTTP requests, and an authentication bypass using SQL injection. The PoC includes functional exploit code for both issues.

Classification

Working Poc 95%

Attack Type

Rce | Sqli | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Wili-CMS 0.4.0

No auth needed

Prerequisites: magic_quotes_gpc = off for authentication bypass

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026