CVE-2020-26218

HIGH

touchbase.ai < 2.0 - Cross-Site Scripting

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-26218. PoCs published by Simran Sankhala.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Touchbase.io 1.1.0 via the 'Add User' module, where malicious JavaScript is injected into the 'Name' field and executed when the 'Contacts' page is visited.

Description

touchbase.ai before version 2.0 is vulnerable to Cross-Site Scripting. The vulnerability allows an attacker to inject HTML payloads which could result in defacement, user redirection to a malicious webpage/website etc. The issue is patched in version 2.0.

Exploits (1)

exploitdb WORKING POC

by Simran Sankhala · textwebappsmultiple

https://www.exploit-db.com/exploits/49040

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Touchbase.io 1.1.0 via the 'Add User' module, where malicious JavaScript is injected into the 'Name' field and executed when the 'Contacts' page is visited.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Touchbase.io 1.1.0

Auth required

Prerequisites: Valid credentials to access the 'Add User' module

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory x_refsource_confirm

https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-r4w5-gw36-4792

Scores

CVSS v3 8.0

EPSS 0.0191

EPSS Percentile 77.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Details

CWE

CWE-80 CWE-79

Status published

Products (1)

touchbase.ai_project/touchbase.ai < 2.0

Published Nov 11, 2020

Tracked Since Feb 18, 2026