EIP-2026-105325

PRE-CVE

AV Arcade - 'Search' Cross-Site Scripting / HTML Injection

Title source: legacy
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-105325. PoCs published by Vadim Toptunov.

AI-analyzed exploit summary This exploit demonstrates XSS and HTML injection vulnerabilities in AV Arcade's search field. The PoC provides example payloads that can be injected via the 'q' parameter in the search task, leading to arbitrary script execution or HTML rendering.

Description

AV Arcade - 'Search' Cross-Site Scripting / HTML Injection

Exploits (1)

exploitdb WORKING POC VERIFIED
by Vadim Toptunov · textwebappsphp
https://www.exploit-db.com/exploits/12519

This exploit demonstrates XSS and HTML injection vulnerabilities in AV Arcade's search field. The PoC provides example payloads that can be injected via the 'q' parameter in the search task, leading to arbitrary script execution or HTML rendering.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: AV Arcade v5.1.4 Free and Pro (and prior)
No auth needed
Prerequisites: Access to the search functionality of AV Arcade
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve
Tracked Since Feb 18, 2026