CVE-2026-10172

An authenticated admin uploads a crafted ZIP archive containing a malicious `config/config.php` file via `POST /dashboard/module/upload`. The application extracts the archive into `application/modules/` without validating the file contents. When the attacker subsequently loads `GET /dashboard/module/add_module`, the view `add.php` executes `@include()` on the uploaded `config.php`, which runs arbitrary PHP code on the server [ref_id=1]. The attack is remote, requires an admin session, and no special network position beyond HTTP access.

The vulnerable endpoint is `application/modules/dashboard/controllers/Module.php`, specifically the `upload()` function. The sink file is `application/modules/dashboard/views/module/add.php` at lines 50-51, where `@include($file)` is called on an attacker-controlled PHP file. A second `@include()` also exists in `Module.php::install()` at line 97 [ref_id=1].

No patch is published in the bundle. The advisory [ref_id=1] identifies the root cause as unsafe `@include()` of attacker-controlled PHP files in `add.php` (line 51) and `Module.php::install()` (line 97). A proper fix would validate that uploaded ZIP archives contain only expected asset files (images, SQL schemas) and never include executable PHP code, or alternatively remove the `@include()` entirely and use a safe parsing mechanism for module metadata.

1. Log in with an admin account. 2. Prepare a ZIP archive with the structure `test_module/config/config.php` (containing malicious PHP code) plus required dummy files (`assets/data/database.sql`, `assets/images/thumbnail.jpg`). 3. Upload the ZIP via `POST /dashboard/module/upload` with the `module` parameter. 4. Load `GET /dashboard/module/add_module` to trigger `@include()` on the uploaded `config.php`. 5. Access the dropped webshell (e.g., `GET /shell.php?cmd=id`) [ref_id=1].