EIP-2026-100774

PRE-CVE

CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-100774. PoCs published by sirpedrotavares.

AI-analyzed exploit summary This exploit demonstrates multiple stored and unauthenticated XSS vulnerabilities in CHIYU IoT devices. It includes functional HTTP requests with payloads targeting specific parameters in various CGI components, confirming the vulnerabilities.

Description

CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)

Exploits (1)

exploitdb WORKING POC

by sirpedrotavares · textwebappscgi

https://www.exploit-db.com/exploits/49922

View Code ZIP pw:eip

This exploit demonstrates multiple stored and unauthenticated XSS vulnerabilities in CHIYU IoT devices. It includes functional HTTP requests with payloads targeting specific parameters in various CGI components, confirming the vulnerabilities.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: CHIYU IoT devices (BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, SEMAC) with firmware versions < June 2021

Auth required

Prerequisites: Network access to the vulnerable device · Valid authentication credentials for authenticated XSS

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026