CVE-2006-3036

35mmslidegallery 6.0 - Cross-Site Scripting via imgdir w h and t Parameters

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-3036. PoCs published by black-cod3.

AI-analyzed exploit summary The exploit demonstrates multiple XSS vulnerabilities in 35mmslidegallery by injecting arbitrary script code via unsanitized input parameters (w, h, t) in popup.php. The PoC uses simple script tags to trigger an alert, confirming the vulnerability.

Description

Multiple cross-site scripting (XSS) vulnerabilities in 35mmslidegallery 6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) imgdir parameter in (a) index.php, and the (2) w, (3) h, and (4) t parameters in (b) popup.php.

Exploits (2)

exploitdb WORKING POC VERIFIED

by black-cod3 · textwebappsphp

https://www.exploit-db.com/exploits/28021

View Code ZIP pw:eip

The exploit demonstrates multiple XSS vulnerabilities in 35mmslidegallery by injecting arbitrary script code via unsanitized input parameters (w, h, t) in popup.php. The PoC uses simple script tags to trigger an alert, confirming the vulnerability.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: 35mmslidegallery version 6

No auth needed

Prerequisites: Access to the vulnerable popup.php endpoint

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →