CVE-2026-39387
Local File Inclusion in BoidCMS Enables Remote Code Execution
Publication date: 2026-04-14
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| boidcms | boidcms | to 2.1.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
BoidCMS versions prior to 2.1.3 have a critical Local File Inclusion (LFI) vulnerability in the tpl (template) parameter. This parameter is not properly sanitized and is directly used in a require_once() statement without validating the file path.
An authenticated administrator can exploit this by injecting path traversal sequences (../) into the tpl parameter to escape the intended theme directory and include arbitrary files from the server's media/ directory.
When combined with the file upload feature, an attacker can upload a file containing malicious PHP code disguised as image data, then include and execute that file via the tpl parameter, resulting in Remote Code Execution (RCE) with web server privileges.
This vulnerability was fixed in version 2.1.3.
How can this vulnerability impact me? :
This vulnerability can lead to Remote Code Execution (RCE) on the affected server, allowing an attacker with administrator access to execute arbitrary code with the privileges of the web server.
Such an exploit can compromise the confidentiality, integrity, and availability of the system by allowing unauthorized access, data manipulation, or disruption of services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the BoidCMS installation is running a version prior to 2.1.3 and if the tpl parameter is being used in requests. Since the vulnerability involves Local File Inclusion via the tpl parameter, monitoring web server logs for requests containing path traversal sequences such as '../' in the tpl parameter can help identify exploitation attempts.
Commands to detect potential exploitation attempts might include searching web server logs for suspicious tpl parameter usage. For example, using grep on Apache or Nginx access logs:
- grep -i 'tpl=.*\.\./' /var/log/apache2/access.log
- grep -i 'tpl=.*\.\./' /var/log/nginx/access.log
Additionally, verifying the installed BoidCMS version can be done by checking the application version file or admin interface to ensure it is 2.1.3 or later.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade BoidCMS to version 2.1.3 or later, where this Local File Inclusion vulnerability has been fixed.
Until the upgrade can be performed, restrict access to the administrative interface to trusted users only, as exploitation requires authenticated administrator privileges.
Additionally, monitor and block suspicious requests containing path traversal sequences in the tpl parameter to prevent exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in BoidCMS allows an authenticated administrator to perform Local File Inclusion leading to Remote Code Execution, which can result in unauthorized access and control over the web server.
Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system integrity.
However, the provided information does not explicitly detail the direct effects on compliance with these standards.