CVE-2026-39387

Name of the Vulnerable Software and Affected Versions BoidCMS versions prior to 2.1.3

Description An issue exists where the application fails to sanitize the tpl parameter during page creation and updates. This parameter is passed directly to the require once() function without path validation. An authenticated administrator can use path traversal sequences to escape the theme directory and include arbitrary files from the server's media directory. By uploading a file containing PHP code and including it via the tpl parameter, an attacker can achieve Remote Code Execution (RCE), which is the ability to execute arbitrary commands on the host server.

Recommendations Update to version 2.1.3. As a temporary workaround, restrict access to the tpl parameter during page creation and updates until the update is applied.