EIP-2026-100324

PRE-CVE

FCKEditor Core ASP 2.6.8 - Arbitrary File Upload Protection Bypass

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-100324. PoCs published by Soroush Dalili.

AI-analyzed exploit summary This writeup describes a file upload protection bypass vulnerability in FCKEditor 2.6.8 ASP version. The vulnerability allows uploading files with arbitrary extensions by exploiting improper validation of duplicate filenames, using techniques like null character injection or semicolon-based extension manipulation.

Description

FCKEditor Core ASP 2.6.8 - Arbitrary File Upload Protection Bypass

Exploits (1)

exploitdb WRITEUP

by Soroush Dalili · textwebappsasp

https://www.exploit-db.com/exploits/23005

View Code ZIP pw:eip

This writeup describes a file upload protection bypass vulnerability in FCKEditor 2.6.8 ASP version. The vulnerability allows uploading files with arbitrary extensions by exploiting improper validation of duplicate filenames, using techniques like null character injection or semicolon-based extension manipulation.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: FCKEditor 2.6.8 ASP

Auth required

Prerequisites: Access to FCKEditor file upload functionality · Knowledge of the vulnerable file upload mechanism

MITRE ATT&CK

T1550.001 - Application Access Token

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026