CVE-2006-6018
published 2006-11-21CVE-2006-6018: PHP remote file inclusion vulnerability in mybic_server.php in Jim Plush My-BIC 0.6.5 allows remote attackers to execute arbitrary PHP code via a URL in the…
PriorityP430high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
1.72%
74.6th percentile
PHP remote file inclusion vulnerability in mybic_server.php in Jim Plush My-BIC 0.6.5 allows remote attackers to execute arbitrary PHP code via a URL in the INC_PATH parameter, a different vector than CVE-2006-5089. NOTE: this issue is disputed by CVE and third party researchers because INC_PATH is a constant
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jim_plush | my-bic | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Jim Plush My-BIC 0.6.5 mybic_server.php INC_PATH file inclusion (XFDB-30361 / OSVDB-31542)
vuldb·2026-04-28·CVSS 7.5
CVE-2006-6018 [HIGH] Jim Plush My-BIC 0.6.5 mybic_server.php INC_PATH file inclusion (XFDB-30361 / OSVDB-31542)
A vulnerability categorized as critical has been discovered in Jim Plush My-BIC 0.6.5. This issue affects some unknown processing of the file mybic_server.php. Such manipulation of the argument INC_PATH leads to file inclusion.
This vulnerability is documented as CVE-2006-6018. The attack can be executed remotely. There is not any exploit available.
The actual existence of this vulnerability is currently in question.
GHSA
GHSA-v84q-4crc-f5w4: ** DISPUTED ** PHP remote file inclusion vulnerability in mybic_server
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-6018 [HIGH] GHSA-v84q-4crc-f5w4: ** DISPUTED ** PHP remote file inclusion vulnerability in mybic_server
** DISPUTED ** PHP remote file inclusion vulnerability in mybic_server.php in Jim Plush My-BIC 0.6.5 allows remote attackers to execute arbitrary PHP code via a URL in the INC_PATH parameter, a different vector than CVE-2006-5089. NOTE: this issue is disputed by CVE and third party researchers because INC_PATH is a constant.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://attrition.org/pipermail/vim/2006-November/001127.htmlhttp://osvdb.org/31542http://securityreason.com/securityalert/1891http://www.securityfocus.com/archive/1/451876/100/0/threadedhttps://exchange.xforce.ibmcloud.com/vulnerabilities/30361http://attrition.org/pipermail/vim/2006-November/001127.htmlhttp://osvdb.org/31542http://securityreason.com/securityalert/1891http://www.securityfocus.com/archive/1/451876/100/0/threadedhttps://exchange.xforce.ibmcloud.com/vulnerabilities/30361
2006-11-21
Published