CVE-2018-8831

MEDIUM

Kodi < 17.6 - Stored Cross-Site Scripting via Playlist

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-8831. PoCs published by Manuel García Cárdenas.

AI-analyzed exploit summary This is a writeup describing a persistent XSS vulnerability in Kodi's web interface, where arbitrary HTML/script code can be executed in the context of a victim's browser by injecting malicious code into a playlist.

Description

A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist.

Exploits (1)

exploitdb WRITEUP

by Manuel García Cárdenas · textwebappsmultiple

https://www.exploit-db.com/exploits/44487

View Code ZIP pw:eip

This is a writeup describing a persistent XSS vulnerability in Kodi's web interface, where arbitrary HTML/script code can be executed in the context of a victim's browser by injecting malicious code into a playlist.

Classification

Writeup 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Kodi <= 17.6

No auth needed

Prerequisites: Access to the Kodi web interface

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2018/Apr/36

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44487/

Vendor Advisory x_refsource_misc

https://trac.kodi.tv/ticket/17814

Scores

CVSS v3 6.1

EPSS 0.5388

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

kodi/kodi < 17.6

Published Apr 18, 2018

Tracked Since Feb 18, 2026