EIP-2026-102430

PRE-CVE

Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-102430. PoCs published by hantwister.

AI-analyzed exploit summary This exploit leverages a sandbox escape vulnerability in Apache Tomcat 8.0.36 by manipulating the SecurityManager via reflection and proprietary JSP evaluation methods. It demonstrates RCE by executing 'calc' after disabling the SecurityManager.

Description

Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape

Exploits (1)

exploitdb WORKING POC

by hantwister · textwebappsjava

https://www.exploit-db.com/exploits/47892

View Code ZIP pw:eip

This exploit leverages a sandbox escape vulnerability in Apache Tomcat 8.0.36 by manipulating the SecurityManager via reflection and proprietary JSP evaluation methods. It demonstrates RCE by executing 'calc' after disabling the SecurityManager.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Tomcat 8.0.36

No auth needed

Prerequisites: Tomcat 8.0.36 with SecurityManager enabled · Ability to deploy a JSP file

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026