EIP-2026-100663

PRE-CVE

Sitecore CMS 8.2 - Cross-Site Scripting / Arbitrary File Disclosure

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-100663. PoCs published by Usman Saeed.

AI-analyzed exploit summary This exploit demonstrates arbitrary file access and reflected XSS vulnerabilities in Sitecore CMS v8.2. The file access vulnerability allows reading arbitrary files via absolute paths, while the XSS vulnerability allows execution of arbitrary JavaScript in the context of an authenticated user.

Description

Sitecore CMS 8.2 - Cross-Site Scripting / Arbitrary File Disclosure

Exploits (1)

exploitdb WORKING POC

by Usman Saeed · textwebappsaspx

https://www.exploit-db.com/exploits/45973

View Code ZIP pw:eip

This exploit demonstrates arbitrary file access and reflected XSS vulnerabilities in Sitecore CMS v8.2. The file access vulnerability allows reading arbitrary files via absolute paths, while the XSS vulnerability allows execution of arbitrary JavaScript in the context of an authenticated user.

Classification

Working Poc 90%

Attack Type

Info Leak | Xss

Complexity

Trivial

Reliability

Reliable

Target: Sitecore CMS v8.2

Auth required

Prerequisites: Authenticated access to Sitecore CMS as an administrator for file access, and as a normal user for XSS

MITRE ATT&CK

T1005 - Data from Local System T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026