CVE-2019-25311

MEDIUM

thesystem 1.0 - Stored Cross-Site Scripting via Operating System Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25311. PoCs published by Anıl Baran Yelken.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in 'thesystem' by injecting malicious scripts into form fields, which are then rendered without proper sanitization. The PoC includes HTTP requests showing the injection and retrieval of the XSS payload.

Description

thesystem version 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple server data input fields. Attackers can submit crafted script payloads in operating_system, system_owner, system_username, system_password, system_description, and server_name parameters to execute arbitrary JavaScript in victim browsers.

Exploits (1)

exploitdb WORKING POC

by Anıl Baran Yelken · textwebappspython

https://www.exploit-db.com/exploits/47440

View Code ZIP pw:eip

This exploit demonstrates a persistent XSS vulnerability in 'thesystem' by injecting malicious scripts into form fields, which are then rendered without proper sanitization. The PoC includes HTTP requests showing the injection and retrieval of the XSS payload.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: thesystem 1.0

No auth needed

Prerequisites: Access to the target application's form submission endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 17, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/47440

Various Sources product

https://github.com/kostasmitroglou/thesystem

View Writeup ZIP pw:eip

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/thesystem-persistent-xss

Scores

CVSS v3 6.4

EPSS 0.0020

EPSS Percentile 10.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

kostasmitroglou/thesystem 1.0.0

Published Feb 11, 2026

Tracked Since Feb 18, 2026