EIP-2026-102455

PRE-CVE

Apache JackRabbit 2.0.0 - webapp XPath Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-102455. PoCs published by ADEO Security.

AI-analyzed exploit summary The code describes an XPath injection vulnerability in Apache JackRabbit's search.jsp file, where the HTTP GET parameter 'q' is included in an XPath query without sanitization if it starts with 'related:'. This could allow an attacker to manipulate the XPath query.

Description

Apache JackRabbit 2.0.0 - webapp XPath Injection

Exploits (1)

exploitdb WRITEUP

by ADEO Security · textwebappsjsp

https://www.exploit-db.com/exploits/14617

View Code ZIP pw:eip

The code describes an XPath injection vulnerability in Apache JackRabbit's search.jsp file, where the HTTP GET parameter 'q' is included in an XPath query without sanitization if it starts with 'related:'. This could allow an attacker to manipulate the XPath query.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Apache JackRabbit 2.0.0

No auth needed

Prerequisites: Access to the search.jsp endpoint

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026