EIP-2026-104420

PRE-CVE

Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated)

Title source: legacy
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-104420. PoCs published by Emir Polat.

AI-analyzed exploit summary This exploit demonstrates an authenticated arbitrary file upload vulnerability in Schlix CMS 2.2.6-6, leveraging directory traversal to place a malicious .phar file in a web-accessible directory, leading to remote code execution (RCE). The PoC includes a crafted HTTP request with manipulated form-data parameters to bypass restrictions and upload a PHP shell.

Description

Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated)

Exploits (1)

exploitdb WORKING POC
by Emir Polat · textwebappsmultiple
https://www.exploit-db.com/exploits/49897

This exploit demonstrates an authenticated arbitrary file upload vulnerability in Schlix CMS 2.2.6-6, leveraging directory traversal to place a malicious .phar file in a web-accessible directory, leading to remote code execution (RCE). The PoC includes a crafted HTTP request with manipulated form-data parameters to bypass restrictions and upload a PHP shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Schlix CMS 2.2.6-6
Auth required
Prerequisites: Valid admin credentials · Access to the admin panel · CSRF token
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve
Tracked Since Feb 18, 2026