EIP-2026-100865

PRE-CVE

Netwin SurgeFTP 2.3a1 - 'SurgeFTPMGR.cgi' Multiple Input Validation Vulnerabilities

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-100865. PoCs published by Umesh Wanve.

AI-analyzed exploit summary The provided text describes multiple XSS vulnerabilities in Netwin SurgeFTP due to insufficient input sanitization. It includes example HTTP requests demonstrating how malicious scripts can be injected via parameters like 'username', 'searchfor', 'email', and 'filter'.

Description

Netwin SurgeFTP 2.3a1 - 'SurgeFTPMGR.cgi' Multiple Input Validation Vulnerabilities

Exploits (1)

exploitdb WRITEUP VERIFIED

by Umesh Wanve · textwebappscgi

https://www.exploit-db.com/exploits/29275

View Code ZIP pw:eip

The provided text describes multiple XSS vulnerabilities in Netwin SurgeFTP due to insufficient input sanitization. It includes example HTTP requests demonstrating how malicious scripts can be injected via parameters like 'username', 'searchfor', 'email', and 'filter'.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Theoretical

Target: Netwin SurgeFTP 2.3a1

No auth needed

Prerequisites: Network access to the vulnerable SurgeFTP server

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026