{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39387", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T22:06:40.515Z", "datePublished": "2026-04-14T22:56:20.935Z", "dateUpdated": "2026-04-15T13:42:26.866Z"}, "containers": {"cna": {"title": "BoidCMS: Local File Inclusion (LFI) leads to Remote Code Execution (RCE) via tpl parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "lang": "en", "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/BoidCMS/BoidCMS/security/advisories/GHSA-45xp-xw54-6cv6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/BoidCMS/BoidCMS/security/advisories/GHSA-45xp-xw54-6cv6"}, {"name": "https://github.com/BoidCMS/BoidCMS/releases/tag/v2.1.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/BoidCMS/BoidCMS/releases/tag/v2.1.3"}], "affected": [{"vendor": "BoidCMS", "product": "BoidCMS", "versions": [{"version": "< 2.1.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T22:56:20.935Z"}, "descriptions": [{"lang": "en", "value": "BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are vulnerable to a critical Local File Inclusion (LFI) attack via the tpl parameter, which can lead to Remote Code Execution (RCE).The application fails to sanitize the tpl (template) parameter during page creation and updates. This parameter is passed directly to a require_once() statement without path validation. An authenticated administrator can exploit this by injecting path traversal sequences (../) into the tpl value to escape the intended theme directory and include arbitrary files \u2014 specifically, files from the server's media/ directory. When combined with the file upload functionality, this becomes a full RCE chain: an attacker can first upload a file with embedded PHP code (e.g., disguised as image data), then use the path traversal vulnerability to include that file via require_once(), executing the embedded code with web server privileges. This issue has been fixed in version 2.1.3."}], "source": {"advisory": "GHSA-45xp-xw54-6cv6", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/BoidCMS/BoidCMS/security/advisories/GHSA-45xp-xw54-6cv6", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:42:23.034628Z", "id": "CVE-2026-39387", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:42:26.866Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39387", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T13:42:23.034628Z"}}}], "references": [{"url": "https://github.com/BoidCMS/BoidCMS/security/advisories/GHSA-45xp-xw54-6cv6", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:42:17.621Z"}}], "cna": {"title": "BoidCMS: Local File Inclusion (LFI) leads to Remote Code Execution (RCE) via tpl parameter", "source": {"advisory": "GHSA-45xp-xw54-6cv6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "BoidCMS", "product": "BoidCMS", "versions": [{"status": "affected", "version": "< 2.1.3"}]}], "references": [{"url": "https://github.com/BoidCMS/BoidCMS/security/advisories/GHSA-45xp-xw54-6cv6", "name": "https://github.com/BoidCMS/BoidCMS/security/advisories/GHSA-45xp-xw54-6cv6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/BoidCMS/BoidCMS/releases/tag/v2.1.3", "name": "https://github.com/BoidCMS/BoidCMS/releases/tag/v2.1.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are vulnerable to a critical Local File Inclusion (LFI) attack via the tpl parameter, which can lead to Remote Code Execution (RCE).The application fails to sanitize the tpl (template) parameter during page creation and updates. This parameter is passed directly to a require_once() statement without path validation. An authenticated administrator can exploit this by injecting path traversal sequences (../) into the tpl value to escape the intended theme directory and include arbitrary files \u2014 specifically, files from the server's media/ directory. When combined with the file upload functionality, this becomes a full RCE chain: an attacker can first upload a file with embedded PHP code (e.g., disguised as image data), then use the path traversal vulnerability to include that file via require_once(), executing the embedded code with web server privileges. This issue has been fixed in version 2.1.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T22:56:20.935Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39387", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:42:26.866Z", "dateReserved": "2026-04-06T22:06:40.515Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T22:56:20.935Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are vulnerable to a critical Local File Inclusion (LFI) attack via the tpl parameter, which can lead to Remote Code Execution (RCE).The application fails to sanitize the tpl (template) parameter during page creation and updates. This parameter is passed directly to a require_once() statement without path validation. An authenticated administrator can exploit this by injecting path traversal sequences (../) into the tpl value to escape the intended theme directory and include arbitrary files \u2014 specifically, files from the server's media/ directory. When combined with the file upload functionality, this becomes a full RCE chain: an attacker can first upload a file with embedded PHP code (e.g., disguised as image data), then use the path traversal vulnerability to include that file via require_once(), executing the embedded code with web server privileges. This issue has been fixed in version 2.1.3."}], "id": "CVE-2026-39387", "lastModified": "2026-04-15T15:16:41.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T23:16:29.300", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/BoidCMS/BoidCMS/releases/tag/v2.1.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/BoidCMS/BoidCMS/security/advisories/GHSA-45xp-xw54-6cv6"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/BoidCMS/BoidCMS/security/advisories/GHSA-45xp-xw54-6cv6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "BoidCMS", "source": "cna", "vendor": "BoidCMS"}, "product": "boidcms", "vendor": "boidcms"}], "analysis": {"en": {"generated_at": "2026-04-15T00:51:51.259918+00:00", "value": {"mitigation_remediation": ["Upgrade to BoidCMS 2.1.3 or later, which patches the LFI flaw", "Validate the tpl parameter to allow only filenames within the current theme directory and reject any path\u2011traversal characters", "Disable or harden the file\u2011upload feature until the patch is applied to prevent uploading of PHP code that could later be executed"], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution via Local File Inclusion"}, "threat_synthesis": {"affected_systems": "BoidCMS versions prior to 2.1.3 are affected. The product is the open\u2011source, PHP\u2011based flat\u2011file CMS developed by BoidCMS.", "description_and_impact": "An unsanitized tpl (template) parameter is passed directly into a require_once() statement, eliminating path validation. An authenticated administrator can insert path\u2011traversal sequences to escape the intended theme directory and include any file from the server, such as the media/ directory. When coupled with the ability to upload files, an attacker can place a PHP payload disguised as an image, then use the traversal flaw to require that file and execute the malicious code under web\u2011server privileges.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.2, indicating high severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog. Exploitation requires authenticated administrator access to create or update a page, so it is not publicly exploitable without credentials. Nevertheless, once a privileged user is compromised, an attacker can achieve arbitrary code execution on the host. The likely attack vector is remote, dependent on legitimate credentials and the presence of file upload capabilities."}}}}, "created": "2026-04-15T13:48:23.613785+00:00", "updated": "2026-04-15T14:31:57.021206+00:00", "vendors": ["boidcms", "boidcms$PRODUCT$boidcms"]}