CVE-2026-28507
Remote Code Execution via Template Path Traversal in Idno
Publication date: 2026-03-06
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| withknown | known | to 1.6.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28507 is a high-severity remote code execution vulnerability in the Idno social publishing platform versions prior to 1.6.4. It involves two chained issues: first, an arbitrary PHP file write during the WordPress import process, and second, a local file inclusion (LFI) via unsanitized template path traversal.'}, {'type': 'paragraph', 'content': "The arbitrary file write occurs because the import function improperly constructs filenames from attacker-controlled URLs without proper sanitization, allowing an attacker to write a malicious PHP file to the server's temporary directory. The URL validation is weak and can be bypassed."}, {'type': 'paragraph', 'content': 'The local file inclusion vulnerability allows any authenticated user to include and execute the malicious PHP file by exploiting a template parameter that is not properly sanitized, enabling directory traversal and execution of arbitrary commands on the server.'}, {'type': 'paragraph', 'content': 'Together, these vulnerabilities allow an attacker to execute arbitrary code remotely by first requiring an admin to import a crafted WordPress XML file and then any authenticated user to trigger the code execution.'}] [2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full remote code execution on the server hosting the Idno platform.
- Confidentiality: An attacker can read any files accessible by the web server user.
- Integrity: The attacker can execute arbitrary commands, potentially modifying or deleting data.
- Availability: The attacker can compromise the entire host, potentially causing denial of service or persistent control.
Exploitation requires initial compromise of a web application admin account to perform the malicious import, but once the malicious file is written, any authenticated user can trigger the remote code execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying exploitation attempts related to the chained arbitrary PHP file write and local file inclusion (LFI) via template path traversal in Idno versions prior to 1.6.4.'}, {'type': 'list_item', 'content': 'Monitor HTTP POST requests to the import endpoint `/admin/import/` for suspicious WordPress WXR XML files containing `<img>` tags with image URLs embedding "wordpress.com" in the path but pointing to attacker-controlled domains.'}, {'type': 'list_item', 'content': 'Look for HTTP GET requests to `/search/users/` with unusual `template` parameters containing directory traversal patterns (e.g., `../../../../../../tmp/`) and `.tpl.php` filenames.'}, {'type': 'list_item', 'content': "Check for temporary PHP files in the server's temp directory (e.g., `/tmp/`) with names matching the pattern of md5 hashes plus basename of URLs ending in `.tpl.php`."}, {'type': 'list_item', 'content': 'Use web server access logs to identify requests that include commands via the `cmd` GET parameter in `/search/users/` endpoint, which may indicate attempts to execute OS commands.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': "On the server, list suspicious temporary files: `ls -l /tmp/*shell.tpl.php` or `find /tmp -name '*.tpl.php'`"}, {'type': 'list_item', 'content': "Search web server logs for import requests: `grep 'POST /admin/import/' /var/log/nginx/access.log` or equivalent."}, {'type': 'list_item', 'content': "Search logs for suspicious template parameter usage: `grep '/search/users/' /var/log/nginx/access.log | grep 'template='`"}, {'type': 'list_item', 'content': "Monitor for command execution attempts: `grep 'cmd=' /var/log/nginx/access.log`"}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade the Idno application to version 1.6.4 or later, where this vulnerability has been patched.
- Restrict access to the import functionality to trusted administrators only and monitor import activity closely.
- Disable or restrict the text plugin if possible, as it is required for the import vulnerability to be exploitable.
- If upgrading immediately is not possible, consider disabling the import endpoint `/admin/import/` temporarily to prevent exploitation.
- Harden template parameter handling by implementing strict input validation or temporarily blocking requests with suspicious `template` parameters containing directory traversal sequences.
- Review and tighten PHP configuration settings, such as disabling `allow_url_fopen` if not required, to reduce risk.