EIP-2026-103918

PRE-CVE

Half-Life StatsMe 2.6.x Plugin - MakeStats Format String

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-103918. PoCs published by [email protected].

AI-analyzed exploit summary This is a functional remote exploit for the Half-Life StatsMe plugin (versions 2.6.16/2.6.19) that leverages a format string vulnerability to achieve remote code execution. It binds a shell to port 30464/tcp and requires the attacker to have the rcon password.

Description

Half-Life StatsMe 2.6.x Plugin - MakeStats Format String

Exploits (1)

exploitdb WORKING POC VERIFIED

by [email protected] · cremotemultiple

https://www.exploit-db.com/exploits/22140

View Code ZIP pw:eip

This is a functional remote exploit for the Half-Life StatsMe plugin (versions 2.6.16/2.6.19) that leverages a format string vulnerability to achieve remote code execution. It binds a shell to port 30464/tcp and requires the attacker to have the rcon password.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Half-Life Dedicated Server with StatsMe plugin (2.6.16/2.6.19)

Auth required

Prerequisites: rcon password · authenticated session on the Half-Life server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026