EIP-2026-103230

PRE-CVE

TCPDF 4.5.036/4.9.5 - 'params' Attribute Remote Code Execution

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-103230. PoCs published by apoc.

AI-analyzed exploit summary This exploit leverages a code injection vulnerability in TCPDF by injecting arbitrary PHP code via the 'params' attribute of the 'Rect' method. The payload executes the 'id' command, demonstrating remote code execution (RCE) capabilities.

Description

TCPDF 4.5.036/4.9.5 - 'params' Attribute Remote Code Execution

Exploits (1)

exploitdb WORKING POC VERIFIED

by apoc · textremotelinux

https://www.exploit-db.com/exploits/33826

View Code ZIP pw:eip

This exploit leverages a code injection vulnerability in TCPDF by injecting arbitrary PHP code via the 'params' attribute of the 'Rect' method. The payload executes the 'id' command, demonstrating remote code execution (RCE) capabilities.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: TCPDF versions prior to 4.9.006

No auth needed

Prerequisites: A vulnerable version of TCPDF · Ability to inject malicious XML/PDF input

MITRE ATT&CK

T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026