Local File Inclusion Vulnerability in BoidCMS by Boid
CVE-2026-39387

7.2HIGH

Key Information:

Vendor: Boidcms
Status: Boidcms
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-39387?

BoidCMS, a PHP-based flat-file content management system, is susceptible to a Local File Inclusion (LFI) vulnerability in versions prior to 2.1.3. This issue arises from insufficient sanitization of the tpl parameter used during page creation and updates. An authenticated administrator can exploit this vulnerability by injecting path traversal sequences into the tpl value, allowing them to escape the intended theme directory. As a result, it becomes possible to include arbitrary files from the server, particularly from the media/ directory. This can escalate to a Remote Code Execution (RCE) scenario when coupled with file upload functionalities, enabling attackers to upload a malicious PHP file disguised as an image and subsequently execute it through the LFI vulnerability. The issue has been addressed in version 2.1.3.

Affected Version(s)

BoidCMS < 2.1.3

References

https://github.com/BoidCMS/BoidCMS/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/BoidCMS/BoidCMS/releases/tag/v2.1.3

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39387 Data

JSON

Boidcms

What is CVE-2026-39387?

Affected Version(s)

References

CVSS V3.1

Timeline