CVE-2020-36115

MEDIUM

phpcrud - Stored Cross-Site Scripting via First Name or Last Name Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-36115. PoCs published by Mahendra Purbia.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in EgavilanMedia PHPCRUD 1.0. The vulnerability is triggered by injecting malicious JavaScript into the 'Full Name' field, which executes upon page reload.

Description

Stored Cross Site Scripting (XSS) vulnerability in EGavilan Media CRUD Operation with PHP, MySQL, Bootstrap, and Dompdf via First Name or Last Name parameter in the 'Add New Record Feature'.

Exploits (1)

exploitdb WRITEUP

by Mahendra Purbia · textwebappsphp

https://www.exploit-db.com/exploits/49484

View Code ZIP pw:eip

This is a writeup describing a stored XSS vulnerability in EgavilanMedia PHPCRUD 1.0. The vulnerability is triggered by injecting malicious JavaScript into the 'Full Name' field, which executes upon page reload.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: EgavilanMedia PHPCRUD 1.0

No auth needed

Prerequisites: Access to the application's 'add new record' functionality

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/49484

Scores

CVSS v3 5.4

EPSS 0.0060

EPSS Percentile 43.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

egavilanmedia/phpcrud 1.0

Published Jan 28, 2021

Tracked Since Feb 18, 2026