Ckwo

**Name of the Vulnerable Software and Affected Versions** BoidCMS versions prior to 2.1.3 **Description** An issue exists where the application fails to sanitize the `tpl` parameter during page creation and updates. This parameter is passed directly to the `require once()` function without path validation. An authenticated administrator can use path traversal sequences to escape the theme directory and include arbitrary files from the server's media directory. By uploading a file containing PHP code and including it via the `tpl` parameter, an attacker can achieve Remote Code Execution (RCE), which is the ability to execute arbitrary commands on the host server. **Recommendations** Update to version 2.1.3. As a temporary workaround, restrict access to the `tpl` parameter during page creation and updates until the update is applied.