EIP-2026-103683

PRE-CVE

Transmit 3.5.5 - Remote Heap Overflow

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-103683. PoCs published by LMH.

AI-analyzed exploit summary This exploit leverages a heap-overflow vulnerability in Transmit 3 by crafting a malicious FTPS URL with an overly long string (408 'A's followed by 'ABCD'). The overflow occurs when the application processes the URL, potentially allowing arbitrary code execution with administrative privileges.

Description

Transmit 3.5.5 - Remote Heap Overflow

Exploits (1)

exploitdb WORKING POC VERIFIED

by LMH · htmldosmultiple

https://www.exploit-db.com/exploits/29502

View Code ZIP pw:eip

This exploit leverages a heap-overflow vulnerability in Transmit 3 by crafting a malicious FTPS URL with an overly long string (408 'A's followed by 'ABCD'). The overflow occurs when the application processes the URL, potentially allowing arbitrary code execution with administrative privileges.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Transmit 3 version 3.5.5 and prior

No auth needed

Prerequisites: Victim must open the malicious HTML file in a browser with Transmit 3 installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026