{"id":"CVE-2018-19246","details":"PHP-Proxy 5.1.0 allows remote attackers to read local files if the default \"pre-installed version\" (intended for users who lack shell access to their web server) is used. This occurs because the aeb067ca0aa9a3193dce3a7264c90187 app_key value from the default config.php is in place, and this value can be easily used to calculate the authorization data needed for local file inclusion.","aliases":["GHSA-pc5h-m95g-v6rh"],"modified":"2026-03-14T14:33:42.753949Z","published":"2018-11-13T09:29:00.227Z","references":[{"type":"EVIDENCE","url":"https://github.com/Athlon1600/php-proxy-app/issues/134"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/45861/"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-19246.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"5.1.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}