BoidCMS LFI to RCE: A Critical Template Flaw

The National Vulnerability Database (NVD) recently detailed a critical vulnerability, CVE-2026-39387, affecting BoidCMS versions prior to 2.1.3. BoidCMS, an open-source, PHP-based flat-file CMS, is designed for simple websites and blogs, leveraging JSON for its data storage. This flaw exposes systems to a Local File Inclusion (LFI) attack via the tpl parameter, a vulnerability that can escalate directly to Remote Code Execution (RCE).

According to NVD, the core issue lies in inadequate sanitization of the tpl (template) parameter during page creation and updates. This parameter is passed directly into a require_once() statement without proper path validation. An authenticated administrator can exploit this by injecting path traversal sequences, like ../, into the tpl value. This allows them to escape the intended theme directory and include arbitrary files from the server, specifically files residing in the media/ directory.

The real kicker? When combined with the CMS’s file upload functionality, this LFI becomes a full-blown RCE chain. An attacker can first upload a file containing embedded PHP code—perhaps disguised as an image. Then, they use the path traversal trick to include that malicious file via require_once(), executing their code with the web server’s privileges. This is a nasty combo. NVD reports the issue has been patched in BoidCMS version 2.1.3, urging users to update immediately. The CVSS score for this vulnerability is 7.2 (HIGH).