Cve-2026-5210 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-5210/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 31 Mar 2026 19:16:29 +0000SourceCodester Leave Application System 1.0 File Inclusion Vulnerability (CVE-2026-5210)https://feed.craftedsignal.io/briefs/2026-04-sourcecodester-lfi/Tue, 31 Mar 2026 19:16:29 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-sourcecodester-lfi/SourceCodester Leave Application System 1.0 is vulnerable to remote file inclusion (CVE-2026-5210) due to improper handling of the 'page' argument, potentially allowing attackers to execute arbitrary code.SourceCodester Leave Application System version 1.0 is vulnerable to a file inclusion vulnerability (CVE-2026-5210). This vulnerability allows a remote attacker to include arbitrary files on the server by manipulating the page argument in a request. The vulnerability exists because the application fails to properly sanitize user-supplied input, leading to the inclusion of potentially malicious files. Public exploits are available, increasing the risk of exploitation. This vulnerability poses a significant threat to organizations using the affected application, as it can lead to remote code execution and data exfiltration.

Attack Chain

  1. The attacker identifies a page within the SourceCodester Leave Application System 1.0 that uses the page parameter to include files.
  2. The attacker crafts a malicious URL containing the page parameter, injecting a path to a local file (e.g., ../../../../etc/passwd) or a remote file via a URL.
  3. The vulnerable application processes the attacker-supplied page parameter without proper sanitization or validation.
  4. The application attempts to include the file specified by the attacker’s malicious URL.
  5. If the file is successfully included, the attacker can read sensitive information (e.g., /etc/passwd, database configuration files).
  6. If the attacker can include a PHP file (e.g., via a log poisoning attack), they can achieve remote code execution on the server.
  7. The attacker executes arbitrary commands on the server with the privileges of the web server user.
  8. The attacker can then pivot to other systems, install malware, or exfiltrate sensitive data.

Impact

Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, such as configuration files, source code, and user credentials. Remote code execution is possible if the attacker can include a PHP file, potentially leading to complete system compromise. This could impact all users of the Leave Application System, potentially exposing employee data.

Recommendation

  • Apply available patches or upgrade to a secure version of SourceCodester Leave Application System to remediate CVE-2026-5210.
  • Deploy the provided Sigma rule to detect attempts to exploit the file inclusion vulnerability by monitoring for suspicious page parameter values in web server logs.
  • Implement strict input validation and sanitization for all user-supplied input, especially parameters used for file inclusion.
  • Restrict file system access for the web server user to only the necessary directories to prevent unauthorized file access.
  • Monitor web server logs for access to sensitive files, such as /etc/passwd, database configuration files, and application source code.
  • Block the reported malicious URL https://medium.com/@hemantrajbhati5555/local-file-inclusion-lfi-in-leave-application-system-php-sqlite3-4e095bb7ee40 at the network perimeter.
]]>highadvisorycve-2026-5210file-inclusionweb-application