CVE-2026-28507
Received Received - Intake
Remote Code Execution via Template Path Traversal in Idno

Publication date: 2026-03-06

Last updated on: 2026-03-16

Assigner: GitHub, Inc.

Description
Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability via chained import file write and template path traversal. This issue has been patched in version 1.6.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28507
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
withknown known to 1.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28507 is a high-severity remote code execution vulnerability in the Idno social publishing platform versions prior to 1.6.4. It involves two chained issues: first, an arbitrary PHP file write during the WordPress import process, and second, a local file inclusion (LFI) via unsanitized template path traversal.'}, {'type': 'paragraph', 'content': "The arbitrary file write occurs because the import function improperly constructs filenames from attacker-controlled URLs without proper sanitization, allowing an attacker to write a malicious PHP file to the server's temporary directory. The URL validation is weak and can be bypassed."}, {'type': 'paragraph', 'content': 'The local file inclusion vulnerability allows any authenticated user to include and execute the malicious PHP file by exploiting a template parameter that is not properly sanitized, enabling directory traversal and execution of arbitrary commands on the server.'}, {'type': 'paragraph', 'content': 'Together, these vulnerabilities allow an attacker to execute arbitrary code remotely by first requiring an admin to import a crafted WordPress XML file and then any authenticated user to trigger the code execution.'}] [2]

Impact Analysis

This vulnerability can have severe impacts including full remote code execution on the server hosting the Idno platform.

  • Confidentiality: An attacker can read any files accessible by the web server user.
  • Integrity: The attacker can execute arbitrary commands, potentially modifying or deleting data.
  • Availability: The attacker can compromise the entire host, potentially causing denial of service or persistent control.

Exploitation requires initial compromise of a web application admin account to perform the malicious import, but once the malicious file is written, any authenticated user can trigger the remote code execution.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying exploitation attempts related to the chained arbitrary PHP file write and local file inclusion (LFI) via template path traversal in Idno versions prior to 1.6.4.'}, {'type': 'list_item', 'content': 'Monitor HTTP POST requests to the import endpoint `/admin/import/` for suspicious WordPress WXR XML files containing `<img>` tags with image URLs embedding "wordpress.com" in the path but pointing to attacker-controlled domains.'}, {'type': 'list_item', 'content': 'Look for HTTP GET requests to `/search/users/` with unusual `template` parameters containing directory traversal patterns (e.g., `../../../../../../tmp/`) and `.tpl.php` filenames.'}, {'type': 'list_item', 'content': "Check for temporary PHP files in the server's temp directory (e.g., `/tmp/`) with names matching the pattern of md5 hashes plus basename of URLs ending in `.tpl.php`."}, {'type': 'list_item', 'content': 'Use web server access logs to identify requests that include commands via the `cmd` GET parameter in `/search/users/` endpoint, which may indicate attempts to execute OS commands.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': "On the server, list suspicious temporary files: `ls -l /tmp/*shell.tpl.php` or `find /tmp -name '*.tpl.php'`"}, {'type': 'list_item', 'content': "Search web server logs for import requests: `grep 'POST /admin/import/' /var/log/nginx/access.log` or equivalent."}, {'type': 'list_item', 'content': "Search logs for suspicious template parameter usage: `grep '/search/users/' /var/log/nginx/access.log | grep 'template='`"}, {'type': 'list_item', 'content': "Monitor for command execution attempts: `grep 'cmd=' /var/log/nginx/access.log`"}] [2]

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade the Idno application to version 1.6.4 or later, where this vulnerability has been patched.
  • Restrict access to the import functionality to trusted administrators only and monitor import activity closely.
  • Disable or restrict the text plugin if possible, as it is required for the import vulnerability to be exploitable.
  • If upgrading immediately is not possible, consider disabling the import endpoint `/admin/import/` temporarily to prevent exploitation.
  • Harden template parameter handling by implementing strict input validation or temporarily blocking requests with suspicious `template` parameters containing directory traversal sequences.
  • Review and tighten PHP configuration settings, such as disabling `allow_url_fopen` if not required, to reduce risk.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28507. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart