EIP-2026-102362
PRE-CVEBusiness Objects Infoview - 'cms' Cross-Site Scripting
Title source: legacyExploitation Summary
EIP tracks 1 public exploit for EIP-2026-102362. PoCs published by Sebastien gioria.
AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in Business Objects XI R2 Java versions. The payload injects malicious JavaScript via the 'cms' parameter in the logon URL, bypassing input sanitization.
Description
Business Objects Infoview - 'cms' Cross-Site Scripting
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Sebastien gioria · textwebappsjava
https://www.exploit-db.com/exploits/31641
This exploit demonstrates a cross-site scripting (XSS) vulnerability in Business Objects XI R2 Java versions. The payload injects malicious JavaScript via the 'cms' parameter in the logon URL, bypassing input sanitization.
Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target:
Business Objects XI R2 (Java versions)
No auth needed
Prerequisites:
Victim must visit a crafted URL
MITRE ATT&CK
mistral-large-3 · analyzed Feb 18, 2026
Full analysis →
Details
Status
pre_cve
Tracked Since
Feb 18, 2026