CVE-2024-26521
Description
HTML Injection vulnerability in CE Phoenix v1.0.8.20 and before allows a remote attacker to execute arbitrary code, escalate privileges, and obtain sensitive information via a crafted payload to the english.php component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CE Phoenix v1.0.8.20 and earlier contains an HTML injection vulnerability in english.php that allows authenticated admin users to achieve remote code execution.
Vulnerability
Overview
CVE-2024-26521 describes an HTML injection vulnerability found in CE Phoenix versions up to and including v1.0.8.20. The flaw resides in the english.php component, which is part of the admin language file editing functionality. Due to insufficient input sanitization, an attacker can inject arbitrary HTML or PHP code into language definition files [1].
Exploitation
Details
Exploitation requires an authenticated session with administrative privileges to the CE Phoenix admin panel. The attacker navigates to the define_language.php page (e.g., /admin/define_language.php?lngdir=english) and selects the english.php file for editing. A payload such as <?php echo system('cat /etc/passwd'); ?> can then be injected into the file content. After saving the modifications, the injected code is executed when the main page is rendered, leading to arbitrary PHP code execution under the web server context [2].
Impact
Assessment
Successful exploitation allows an authenticated admin attacker to execute arbitrary PHP commands on the server. This can lead to full system compromise, including reading sensitive files (e.g., /etc/passwd), escalating privileges, or exfiltrating database credentials and other configuration data. The CVSS v3 base score of 4.8 (Medium) reflects the requirement for administrative authentication but understates the potential for significant damage once access is obtained [1][2].
Mitigation
Status
As of the publication date (March 12, 2024), the vulnerability is present in CE Phoenix v1.0.8.20 and earlier. Users should upgrade to a patched version if available. Administrators are advised to review access controls on the admin panel and monitor for unauthorized modifications to language files. No public advisory from the vendor has been linked, but the provided proof-of-concept (PoC) confirms the exploit path [1][2].
- GitHub - hackervegas001/CVE-2024-26521: Html Injection vulnearbility in CE-Phoenix-v1.0.8.20 where malicious HTML code is inserted into a website. This can lead to a variety of issues, from minor website defacement to serious data breaches.
- GitHub - capture0x/Phoenix: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated)
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The language file editor writes user-supplied content directly into executable PHP files without sanitization, allowing authenticated attackers to inject arbitrary PHP code."
Attack vector
An attacker with admin panel access navigates to `define_language.php?lngdir=english`, clicks on `english.php`, and injects a malicious PHP payload such as `<?php echo system('cat /etc/passwd'); ?>` into the language file [ref_id=2]. After saving the changes, visiting the main page executes the injected PHP code server-side, leading to remote code execution [ref_id=2]. The CVSS vector (PR:H, UI:R) confirms the attacker needs admin privileges and user interaction (saving the file) [CWE-79].
Affected code
The vulnerability exists in the `english.php` language file within the CE Phoenix admin panel, located at `admin/define_language.php?lngdir=english` [ref_id=2]. The application allows authenticated administrators to edit language definition files, but fails to sanitize or validate the content written into these files [ref_id=1][ref_id=2].
What the fix does
No patch is included in the bundle. The advisory [ref_id=2] demonstrates that the application writes user-supplied PHP code directly into language files without sanitization. A proper fix would require either (a) stripping or encoding PHP open tags and special characters from language file inputs, (b) restricting the `define_language.php` functionality to trusted super-administrators only, or (c) storing language definitions in a database with parameterized rendering rather than writing executable PHP files to disk.
Preconditions
- authAttacker must have valid admin panel credentials (authenticated session)
- inputAttacker must navigate to define_language.php and select english.php
- configThe application must have write permissions to the language file directory
Reproduction
1. Log in to the CE Phoenix admin panel. 2. Visit `https://target/admin/define_language.php?lngdir=english`. 3. Click on `english.php` to open the language file editor. 4. Inject the payload `<?php echo system('cat /etc/passwd'); ?>` into the file content. 5. Click "Save Changes". 6. Visit the main page (`https://target/`) — the output of the injected command is displayed. [ref_id=2]
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
News mentions
0No linked articles in our index yet.