CVE-2020-27406

MEDIUM

DynPG 4.9.1 - Authenticated Cross-Site Scripting via Groupname

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-27406. PoCs published by Enes Özeser.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in DynPG 4.9.1, where an authenticated attacker can inject malicious JavaScript into the 'Groupname' field, which executes when viewed by other users.

Description

Cross Site Scripting (XSS) vulnerability in DynPG 4.9.1, allows authenticated attackers to execute arbitrary code via the groupname.

Exploits (1)

exploitdb WORKING POC

by Enes Özeser · textwebappsphp

https://www.exploit-db.com/exploits/48865

View Code ZIP pw:eip

This exploit demonstrates a persistent XSS vulnerability in DynPG 4.9.1, where an authenticated attacker can inject malicious JavaScript into the 'Groupname' field, which executes when viewed by other users.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: DynPG 4.9.1

Auth required

Prerequisites: Authenticated access to the admin panel

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product x_refsource_misc

http://dynpg.com

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/48865

Scores

CVSS v3 5.4

EPSS 0.0075

EPSS Percentile 50.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

dynpg/dynpg 4.9.1

Published Nov 02, 2021

Tracked Since Feb 18, 2026