What the vulnerability does
01Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky JS Job Manager js-jobs allows PHP Local File Inclusion.This issue affects JS Job Manager: from n/a through <= 2.0.2.
Explanation of Vulnerability in Simple Terms
02Summary
JS Job Manager versions 2.0.2 and earlier contain a code injection vulnerability that allows authenticated users with low privileges to execute arbitrary code on the site. The vulnerability requires network access and an active user account but no additional user interaction. This affects the confidentiality, integrity, and availability of the entire site.
What an attacker can do
03Attacker Capabilities
Run arbitrary code on the site with full access to the database and file system.
Potential impact on your site
04Site Impact
Any registered user can compromise the entire site, steal data, modify content, or take the site offline.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site; network access to the site.
Key dates
06Disclosure timeline
April 4, 2025
CVE published
April 28, 2026
Record updated