EIP-2026-100572

PRE-CVE

Spaw Editor 1.0/2.0 - Arbitrary File Upload

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-100572. PoCs published by Ma3sTr0-Dz.

AI-analyzed exploit summary This exploit demonstrates a remote file upload vulnerability in Spaw Editor v1.0 and v2.0, allowing attackers to upload malicious files (e.g., ASP or PHP shells) by manipulating the file extension in the upload path.

Description

Spaw Editor 1.0/2.0 - Arbitrary File Upload

Exploits (1)

exploitdb WORKING POC VERIFIED

by Ma3sTr0-Dz · textwebappsasp

https://www.exploit-db.com/exploits/12672

View Code ZIP pw:eip

This exploit demonstrates a remote file upload vulnerability in Spaw Editor v1.0 and v2.0, allowing attackers to upload malicious files (e.g., ASP or PHP shells) by manipulating the file extension in the upload path.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Spaw Editor v1.0 & v2.0

No auth needed

Prerequisites: Access to the vulnerable Spaw Editor installation · Ability to send HTTP requests to the target

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026