## https://sploitus.com/exploit?id=E546C8C0-498D-59B6-84C9-0388422D0261
# CVE-2026-37072
Veno File Manager Project Veno File Manager Project 4.4.9 is vulnerable to Incorrect Access Control in admin-head-updates.php
An unauthenticated attacker can exploit a Local File Inclusion vulnerability in the 'lang' GET parameter. By sending a specially crafted POST request with the right file inclusion in the 'lang' url parameter the attacker can corrupt the configuration file. Then by sending a GET request to the setup endpoint can force a partial regeneration of the configuration file as well as resetting the superadministrator password to the default value, resulting in full administrative access. No user interaction is required.
https://github.com/user-attachments/assets/8fb29ee8-57a6-42ba-bf49-68f6a883b0f6