Key Information Affected Product Product Name: Recruitment Management System Version: 1.0 Affected File: /admin/index.php Vulnerability Type Type: Filename Control Root Cause The application directly uses the user-controllable parameter to construct a path and passes it to the function, without any validation, filtering, or whitelist processing. Impact Attackers can craft malicious parameter values to specify arbitrary local files for inclusion, thereby executing malicious code or accessing sensitive data. Description During a security assessment of the Recruitment Management System project, a high-risk Local File Inclusion (LFI) vulnerability was discovered in the core entry file . This vulnerability arises from improper handling of the user input parameter within the application’s file inclusion logic. Authentication Requirement Exploiting this vulnerability requires login or authorization. Default Credentials: Username: admin, Password: admin123 Exploitation Example Recommended Mitigation Measures Use predefined paths and filename whitelists. Perform strict data validation and sanitization on all incoming data. Implement a Web Application Firewall (WAF). Follow the Principle of Least Privilege (PoLP) for database users. Regularly update and patch the application. Monitor logs to detect suspicious activities.