EIP-2026-104378

PRE-CVE

Oracle HTTP Server - Cross-Site Scripting Header Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-104378. PoCs published by Yasser ABOUKIR.

AI-analyzed exploit summary This document describes a cross-site scripting (XSS) vulnerability in Oracle HTTP Server for Oracle Application Server 10g, caused by improper sanitization of the Expect header in HTTP requests. The vulnerability allows header injection attacks, potentially leading to session hijacking or content spoofing.

Description

Oracle HTTP Server - Cross-Site Scripting Header Injection

Exploits (1)

exploitdb WRITEUP VERIFIED

by Yasser ABOUKIR · textwebappsmultiple

https://www.exploit-db.com/exploits/17393

View Code ZIP pw:eip

This document describes a cross-site scripting (XSS) vulnerability in Oracle HTTP Server for Oracle Application Server 10g, caused by improper sanitization of the Expect header in HTTP requests. The vulnerability allows header injection attacks, potentially leading to session hijacking or content spoofing.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Theoretical

Target: Oracle HTTP Server for Oracle Application Server 10g (10.1.2.0.2)

No auth needed

Prerequisites: Victim interaction required (e.g., visiting a malicious site or crafted request)

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026