PMB 5.6 - 'chemin' Local File Disclosure | Advisories

Advisories

PMB 5.6 - 'chemin' Local File Disclosure

severity: medium
date: January 28, 2026
Affecting: PMB Services 5.6
CVE: CVE-2020-36970
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS: 6.9
CVSS V4 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References: ExploitDB-49054
Vendor Homepage
Software Download Repository
Credit: 41-trk (Tarik Bakir)
Description: PMB 5.6 contains a local file disclosure vulnerability in getgif.php that allows attackers to read arbitrary system files by manipulating the 'chemin' parameter. Attackers can exploit the unsanitized file path input to access sensitive files like /etc/passwd by sending crafted requests to the getgif.php endpoint.