CVE-2026-39387 Overview
BoidCMS, an open-source PHP-based flat-file content management system that uses JSON as its database, contains a critical Local File Inclusion (LFI) vulnerability that can be chained with the file upload functionality to achieve Remote Code Execution (RCE). The vulnerability exists in versions prior to 2.1.3 and affects the tpl (template) parameter during page creation and update operations.
Critical Impact
Authenticated administrators can exploit this vulnerability to execute arbitrary PHP code on the server, potentially leading to complete system compromise, data theft, or lateral movement within the network.
Affected Products
- BoidCMS versions prior to 2.1.3
- PHP-based flat-file CMS installations using vulnerable template handling
- Servers with writable media directories accessible to the web application
Discovery Timeline
- 2026-04-14 - CVE-2026-39387 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-39387
Vulnerability Analysis
This vulnerability (classified as CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program) allows an authenticated administrator to include arbitrary local files through the template parameter. The attack requires network access and high privileges (administrator authentication), but once these conditions are met, the exploitation is straightforward with no user interaction required.
The vulnerability enables attackers to bypass the intended theme directory restrictions and include files from anywhere on the server that the web process can access. When combined with the legitimate file upload functionality, this creates a complete RCE chain that can compromise the entire web server.
Root Cause
The root cause of this vulnerability lies in the application's failure to properly sanitize the tpl parameter before passing it to a require_once() statement. The template parameter, which is intended to specify a template file within the theme directory, is not validated for path traversal sequences. This allows an attacker to inject directory traversal sequences (../) to escape the intended directory and include arbitrary files from the server's filesystem.
The application lacks input validation to ensure the template path remains within the designated theme directory. Without proper path canonicalization or allowlist validation, the require_once() function processes the malicious path, leading to the inclusion of attacker-controlled files.
Attack Vector
The attack is executed over the network against authenticated administrator sessions. The exploitation chain consists of two primary steps:
File Upload Phase: The attacker uploads a file containing embedded PHP code through the legitimate file upload functionality. This malicious payload can be disguised within image data or other allowed file types, stored in the server's media/ directory.
File Inclusion Phase: The attacker then exploits the path traversal vulnerability by injecting path traversal sequences (../) into the tpl parameter during page creation or update. This causes the require_once() statement to include the previously uploaded malicious file, executing the embedded PHP code with web server privileges.
The successful exploitation results in arbitrary code execution within the context of the web server process, enabling the attacker to read sensitive files, modify application data, establish persistence, or pivot to other systems on the network.
Detection Methods for CVE-2026-39387
Indicators of Compromise
- Unusual file uploads to the media/ directory containing PHP code or suspicious content patterns
- Web server access logs showing page creation or update requests with path traversal sequences (../) in POST parameters
- Newly created or modified files in the media/ directory with executable PHP code embedded
- Unexpected outbound connections or process spawns from the web server process
Detection Strategies
- Monitor web application logs for requests containing path traversal sequences (../) in the tpl parameter
- Implement file integrity monitoring on the BoidCMS installation directories to detect unauthorized file modifications
- Analyze uploaded files for embedded PHP code patterns such as <?php, eval(, system(, or exec(
- Deploy Web Application Firewall (WAF) rules to detect and block path traversal attempts
Monitoring Recommendations
- Enable detailed logging for all administrative actions within BoidCMS, particularly page creation and template changes
- Implement real-time alerting for file uploads containing suspicious content or unexpected file extensions
- Monitor for unusual process execution or network connections originating from the web server process
- Review administrator account activity for signs of compromise or unauthorized access
How to Mitigate CVE-2026-39387
Immediate Actions Required
- Upgrade BoidCMS to version 2.1.3 or later immediately
- Review administrator account credentials and ensure strong, unique passwords are in place
- Audit the media/ directory for any suspicious files that may have been uploaded
- Examine web server logs for evidence of exploitation attempts
Patch Information
The vulnerability has been addressed in BoidCMS version 2.1.3. The fix implements proper input validation and sanitization for the tpl parameter, preventing path traversal attacks. Organizations running affected versions should upgrade immediately by downloading the latest release from the BoidCMS Release v2.1.3 page. For complete technical details about the vulnerability, refer to the GitHub Security Advisory GHSA-45xp-xw54-6cv6.
Workarounds
- Restrict administrative access to trusted IP addresses only through web server configuration
- Implement additional authentication layers (such as HTTP Basic Auth) for the administrative interface
- Configure file upload restrictions to prevent execution of uploaded content in the media/ directory
- Deploy a Web Application Firewall with rules to block path traversal sequences in request parameters
# Apache configuration to restrict admin access by IP
<Directory "/path/to/boidcms/admin">
Require ip 192.168.1.0/24
Require ip 10.0.0.0/8
</Directory>
# Disable PHP execution in media directory
<Directory "/path/to/boidcms/media">
php_admin_flag engine Off
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
