EIP-2026-102539

PRE-CVE

Totemomail 4.x/5.x - Persistent Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-102539. PoCs published by Vulnerability-Lab.

AI-analyzed exploit summary This document describes a persistent XSS vulnerability and filter bypass in Totemomail v4.x and v5.x, where malicious script codes can be injected into the 'Subject' and 'Message Body' fields, executed when the message is saved as HTML. The PoC demonstrates bypassing input validation using img tags with onload events.

Description

Totemomail 4.x/5.x - Persistent Cross-Site Scripting

Exploits (1)

exploitdb WRITEUP

by Vulnerability-Lab · textwebappsjsp

https://www.exploit-db.com/exploits/39720

View Code ZIP pw:eip

This document describes a persistent XSS vulnerability and filter bypass in Totemomail v4.x and v5.x, where malicious script codes can be injected into the 'Subject' and 'Message Body' fields, executed when the message is saved as HTML. The PoC demonstrates bypassing input validation using img tags with onload events.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Totemomail v4.0 b1343 and v5.0 b512

Auth required

Prerequisites: Low-privileged web-application user account · User interaction to save message as HTML

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026