CVE-2018-18416

MEDIUM

LANGO Codeigniter Multilingual Script 1.0 - Cross-Site Scripting via site_name Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-18416. PoCs published by Ismail Tasdelen.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in LANGO Codeigniter Multilingual Script 1.0 via the site_name parameter in the admin/settings/update URI. The payload injects HTML and JavaScript into form fields, which are then rendered in the application.

Description

LANGO Codeigniter Multilingual Script 1.0 has XSS in the input and upload sections, as demonstrated by the site_name parameter to the admin/settings/update URI.

Exploits (1)

exploitdb WORKING POC
by Ismail Tasdelen · textwebappsphp
https://www.exploit-db.com/exploits/45672

This exploit demonstrates a stored XSS vulnerability in LANGO Codeigniter Multilingual Script 1.0 via the site_name parameter in the admin/settings/update URI. The payload injects HTML and JavaScript into form fields, which are then rendered in the application.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: LANGO - Codeigniter Multilingual Script 1.0
Auth required
Prerequisites: Admin access to the target application · Valid session cookies
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45672/

Scores

CVSS v3 4.8
EPSS 0.0165
EPSS Percentile 73.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
pokkho/lango 1.0
Published Oct 19, 2018
Tracked Since Feb 18, 2026