CVE-2020-26669

MEDIUM

BigTree CMS < 4.4.10 - Authenticated Stored Cross-Site Scripting via Page Content

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-26669. PoCs published by SunCSR.

AI-analyzed exploit summary The exploit demonstrates authenticated RCE in BigTree CMS 4.4.10 via crafted settings creation, leveraging the 'parser' parameter to execute system commands. It also includes SQLi and XSS PoCs, all requiring developer-level authentication.

Description

A stored cross-site scripting (XSS) vulnerability was discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary web scripts or HTML via the page content to site/index.php/admin/pages/update.

Exploits (1)

exploitdb WORKING POC

by SunCSR · textwebappsphp

https://www.exploit-db.com/exploits/48831

View Code ZIP pw:eip

The exploit demonstrates authenticated RCE in BigTree CMS 4.4.10 via crafted settings creation, leveraging the 'parser' parameter to execute system commands. It also includes SQLi and XSS PoCs, all requiring developer-level authentication.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: BigTree CMS 4.4.10

Auth required

Prerequisites: Authenticated developer account · Access to admin panel

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/48831

Scores

CVSS v3 5.4

EPSS 0.0060

EPSS Percentile 44.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

bigtreecms/bigtree_cms < 4.4.10

Published Jun 01, 2021

Tracked Since Feb 18, 2026