EIP-2026-103968

PRE-CVE

Liferay 6.0.x - WebDAV File Reading

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-103968. PoCs published by Jelmer Kuperus.

AI-analyzed exploit summary The vulnerability involves a specially crafted WebDAV request with an external entity to read local files on Liferay Portal 6.0.x. The exploit leverages XML External Entity (XXE) injection to disclose sensitive files such as configuration files or SSH keys.

Description

Liferay 6.0.x - WebDAV File Reading

Exploits (1)

exploitdb WRITEUP

by Jelmer Kuperus · textremotemultiple

https://www.exploit-db.com/exploits/18763

View Code ZIP pw:eip

The vulnerability involves a specially crafted WebDAV request with an external entity to read local files on Liferay Portal 6.0.x. The exploit leverages XML External Entity (XXE) injection to disclose sensitive files such as configuration files or SSH keys.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Liferay Portal 6.0.5 CE, 6.0.6 CE

No auth needed

Prerequisites: Network access to the Liferay Portal WebDAV service

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026