EIP-2026-104209

PRE-CVE

CourseMS 2.1 - 'name' Stored XSS

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-104209. PoCs published by cptsticky.

AI-analyzed exploit summary This is a functional proof-of-concept for a stored XSS vulnerability in CourseMS 2.1. The exploit demonstrates how an attacker can inject malicious JavaScript via the 'name' parameter in the admin panel, which executes when other users visit the affected page.

Description

CourseMS 2.1 - 'name' Stored XSS

Exploits (1)

exploitdb WORKING POC

by cptsticky · textwebappsmultiple

https://www.exploit-db.com/exploits/49731

View Code ZIP pw:eip

This is a functional proof-of-concept for a stored XSS vulnerability in CourseMS 2.1. The exploit demonstrates how an attacker can inject malicious JavaScript via the 'name' parameter in the admin panel, which executes when other users visit the affected page.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: CourseMS 2.1

Auth required

Prerequisites: Access to the admin panel · Valid session cookie

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026