CVE-2006-5511

JaxUltraBB 2.0 - Remote Code Execution via delete.php contents parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-5511. PoCs published by Kacper.

AI-analyzed exploit summary This exploit targets a file deletion vulnerability in JaxUltraBB 2.0 via the 'delete.php' script, allowing an attacker to deface the 'index.php' file by injecting malicious HTML/JavaScript content. The exploit uses a crafted HTTP GET request with null byte injection to bypass path restrictions.

Description

Direct static code injection vulnerability in delete.php in JaxUltraBB (JUBB) 2.0, when register_globals is enabled, allows remote attackers to inject arbitrary web script, HTML, or PHP via the contents parameter, whose value is prepended to the file specified by the forum parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Kacper · phpwebappsphp
https://www.exploit-db.com/exploits/2616

This exploit targets a file deletion vulnerability in JaxUltraBB 2.0 via the 'delete.php' script, allowing an attacker to deface the 'index.php' file by injecting malicious HTML/JavaScript content. The exploit uses a crafted HTTP GET request with null byte injection to bypass path restrictions.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: JaxUltraBB <= 2.0
No auth needed
Prerequisites: Target server running JaxUltraBB <= 2.0 · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/29711
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/20679
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/2616

Scores

EPSS 0.0178
EPSS Percentile 75.4%

Details

Status published
Products (1)
jaxultrabb/jaxultrabb 2.0
Published Oct 25, 2006
Tracked Since Feb 18, 2026