CVE-2009-4266

YABSoft Advanced Image Hosting Script 2.2 - Cross-Site Scripting via search.php text parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4266. PoCs published by R3VAN_BASTARD.

AI-analyzed exploit summary The exploit demonstrates multiple file-include vulnerabilities in UBB.threads 7.5.4.2 due to insufficient sanitization of user-supplied data. It includes examples for remote file inclusion (RFI) and local file inclusion (LFI) via crafted URIs.

Description

Cross-site scripting (XSS) vulnerability in search.php in YABSoft Advanced Image Hosting (AIH) Script 2.2, and possibly 2.3, allows remote attackers to inject arbitrary web script or HTML via the text parameter.

Exploits (1)

exploitdb WORKING POC
by R3VAN_BASTARD · textwebappsphp
https://www.exploit-db.com/exploits/10305

The exploit demonstrates multiple file-include vulnerabilities in UBB.threads 7.5.4.2 due to insufficient sanitization of user-supplied data. It includes examples for remote file inclusion (RFI) and local file inclusion (LFI) via crafted URIs.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: UBB.threads 7.5.4.2
No auth needed
Prerequisites: Network access to the target server · UBB.threads installation with vulnerable endpoints exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/10336
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/54582
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34366

Scores

EPSS 0.0145
EPSS Percentile 69.9%

Details

CWE
CWE-79
Status published
Products (2)
yabsoft/advanced_image_hosting_script 2.2
yabsoft/advanced_image_hosting_script 2.3
Published Dec 10, 2009
Tracked Since Feb 18, 2026