The vulnerability in Pico 3.0.0-alpha.2 centers around improper input validation and flaws in the routing engine. Because flat-file CMS architectures rely heavily on directory structures to parse URLs into pages, strict file path sanitization is mandatory. 1. Path Traversal and File Inclusion
This post provides a forensic analysis of the exploit, how it works, and why upgrading is no longer optional—it’s mandatory.
The official repository for Pico CMS on GitHub contains a stark and important "END OF LIFE NOTICE". Development on Pico CMS has stopped entirely, and its maintainers due to its incompatibility with modern PHP versions. The v3.0.0-alpha.2 release is explicitly listed as a last-resort option for those stuck with legacy PHP setups, being "as stable as the last 'stable' releases, but just didn't make it through the release process before development was abandoned". Pico 3.0.0-alpha.2 Exploit
: The final exploit allows an attacker (or developer looking to bypass limits) to run any single-line code for just Limitations : The exploit cannot handle PICO-8 shorthand syntax extensions , shorthand Critical Context: Pico CMS 3.0.0-alpha.2 If you are researching this for web development, note that Pico CMS v3.0.0-alpha.2 was released specifically to
To understand how this exploit evolved, review the timeline: The vulnerability in Pico 3
To understand how software handles external instructions, it helps to examine how data flows through a typical application environment. The following diagram illustrates how user requests move from an external network through a routing system like FastCGI, into the application core (such as a CMS or editor engine), and interact with system files. Understanding the 3.0.0-alpha.2 Security Landscape
: Prior to patching, custom source code placed inside a multiline string container is evaluated by the engine as a single token. Path Traversal and File Inclusion This post provides
Here's how the PICO-8 interpreter breaks down this deceptively simple payload:
The PICO-8 developer, Zep, was made aware of the exploit and acknowledged it publicly on the Lexaloffle forums, stating that he is "fixing this". Zep has historically been against adding compound operators ( += ) to the syntax, but this exploit and other preprocessor oddities have reinforced the argument for ditching the preprocessor entirely in favor of a proper parser.
POST /?action=preview_theme HTTP/1.1 Host: target-site.com Content-Type: application/x-www-form-urlencoded