CVE-2019-11564

MEDIUM

HumHub 1.3.12 - Stored Cross-Site Scripting via POST Request to Index View

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-11564. PoCs published by Kağan EĞLENCE.

AI-analyzed exploit summary This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in HumHub 1.3.12. The vulnerability is triggered by sending a POST request with a malicious payload to a specific endpoint, resulting in arbitrary JavaScript execution.

Description

A cross-site scripting (XSS) vulnerability in HumHub 1.3.12 allows remote attackers to inject arbitrary web script or HTML via a /protected/vendor/codeception/codeception/tests/data/app/view/index.php POST request.

Exploits (1)

exploitdb WORKING POC

by Kağan EĞLENCE · textwebappsphp

https://www.exploit-db.com/exploits/46771

View Code ZIP pw:eip

This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in HumHub 1.3.12. The vulnerability is triggered by sending a POST request with a malicious payload to a specific endpoint, resulting in arbitrary JavaScript execution.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: HumHub 1.3.12

No auth needed

Prerequisites: Access to the vulnerable endpoint

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://humhub.org/en/news

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/46771/

Scores

CVSS v3 6.1

EPSS 0.0263

EPSS Percentile 83.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

humhub/humhub 1.3.12

Published May 08, 2019

Tracked Since Feb 18, 2026