EIP-2026-104438

PRE-CVE

SmartFoxServer 2X 2.17.0 - God Mode Console WebSocket XSS

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-104438. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates an authenticated Cross-Site Scripting (XSS) vulnerability in SmartFoxServer 2X 2.17.0. The payload leverages improper input sanitization in the AdminTool console, allowing arbitrary HTML/JS execution via a crafted WebSocket message.

Description

SmartFoxServer 2X 2.17.0 - God Mode Console WebSocket XSS

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappsmultiple

https://www.exploit-db.com/exploits/49528

View Code ZIP pw:eip

This exploit demonstrates an authenticated Cross-Site Scripting (XSS) vulnerability in SmartFoxServer 2X 2.17.0. The payload leverages improper input sanitization in the AdminTool console, allowing arbitrary HTML/JS execution via a crafted WebSocket message.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: SmartFoxServer 2X 2.17.0 (AdminTool 3.2.6)

Auth required

Prerequisites: Authenticated access to the AdminTool console · WebSocket connection to the server

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026