CVE-2020-26650
Description
AtomXCMS 2.0 is affected by Arbitrary File Read via admin/dump.php
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AtomXCMS 2.0 allows arbitrary file read via the `file` parameter in `/admin/dump.php` without authentication.
Vulnerability
AtomXCMS 2.0 contains an arbitrary file read vulnerability in /admin/dump.php. The script accepts a file GET parameter and includes it directly without sanitization or access control, allowing an attacker to read sensitive files from the server. The issue is documented in the project's issue tracker [1].
Exploitation
An attacker can exploit this by sending a crafted HTTP GET request to /admin/dump.php?file=/etc/passwd (or any other arbitrary file path) without requiring any authentication or prior user interaction. No special network position is needed beyond normal web access [1].
Impact
A successful attack leads to arbitrary file read, exposing system files such as /etc/passwd or application configuration files containing credentials and secrets. This can enable further compromise of the server and sensitive data disclosure [1].
Mitigation
No official fix has been published as of the disclosure date (October 2020). The project appears to be inactive or unmaintained. Users should consider removing or restricting access to /admin/dump.php and migrating away from AtomXCMS 2.0 to a supported alternative [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- AtomXCMS/AtomXCMSdescription
- Range: = 2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/Drunyacoder/AtomXCMS-2/issues/20mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.