CVE-2009-0383

Max.Blog 1.0.6 - Unauthenticated Arbitrary Blog Post Deletion via delete.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-0383. PoCs published by SirGod.

AI-analyzed exploit summary This exploit targets Max.Blog 1.0.6 by sending a crafted HTTP request to delete a post without proper authentication. It leverages a direct object reference vulnerability in the delete.php endpoint.

Description

delete.php in Max.Blog 1.0.6 does not properly restrict access, which allows remote attackers to delete arbitrary blog posts via a direct request.

Exploits (1)

exploitdb WORKING POC VERIFIED
by SirGod · htmlwebappsphp
https://www.exploit-db.com/exploits/7835

This exploit targets Max.Blog 1.0.6 by sending a crafted HTTP request to delete a post without proper authentication. It leverages a direct object reference vulnerability in the delete.php endpoint.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Max.Blog 1.0.6
No auth needed
Prerequisites: Target URL and post ID
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/48125
Patch, Vendor Advisory, URL Repurposed x_refsource_confirm
http://www.mzbservices.com/show_post.php?id=72
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/51482
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7835
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/33368
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/33590

Scores

EPSS 0.0296
EPSS Percentile 85.4%

Details

CWE
CWE-264
Status published
Products (1)
mzbservices/max.blog 1.0.6
Published Feb 02, 2009
Tracked Since Feb 18, 2026