EIP-2026-103806

PRE-CVE

PHP - 'mb_ereg(i)_replace()' Evaluate Replacement String

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-103806. PoCs published by 80vul.

AI-analyzed exploit summary This exploit demonstrates a vulnerability in PHP's mb_ereg_replace() function where the 'e' option allows arbitrary code execution due to improper escaping of backreferences. The PoC shows how a crafted replacement string can lead to RCE when evaluated.

Description

PHP - 'mb_ereg(i)_replace()' Evaluate Replacement String

Exploits (1)

exploitdb WORKING POC VERIFIED

by 80vul · textlocalmultiple

https://www.exploit-db.com/exploits/8641

View Code ZIP pw:eip

This exploit demonstrates a vulnerability in PHP's mb_ereg_replace() function where the 'e' option allows arbitrary code execution due to improper escaping of backreferences. The PoC shows how a crafted replacement string can lead to RCE when evaluated.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: PHP (versions with vulnerable mb_ereg_replace)

No auth needed

Prerequisites: PHP installation with mbstring extension enabled

MITRE ATT&CK

T1059.001 - PowerShell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026