EIP-2026-104742

PRE-CVE

LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit)

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-104742. PoCs published by Metasploit.

AI-analyzed exploit summary This Metasploit module exploits a remote command execution vulnerability in LotusCMS 3.0 by injecting PHP code into the 'page' parameter, which is passed to an eval() call. It supports both automatic and manual detection of the vulnerable parameter.

Description

LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit)

Exploits (1)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/18565

View Code ZIP pw:eip

This Metasploit module exploits a remote command execution vulnerability in LotusCMS 3.0 by injecting PHP code into the 'page' parameter, which is passed to an eval() call. It supports both automatic and manual detection of the vulnerable parameter.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: LotusCMS 3.0

No auth needed

Prerequisites: Network access to the target · LotusCMS 3.0 installed and running

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026