EIP-2026-105325
PRE-CVEAV Arcade - 'Search' Cross-Site Scripting / HTML Injection
Title source: legacyExploitation Summary
EIP tracks 1 public exploit for EIP-2026-105325. PoCs published by Vadim Toptunov.
AI-analyzed exploit summary This exploit demonstrates XSS and HTML injection vulnerabilities in AV Arcade's search field. The PoC provides example payloads that can be injected via the 'q' parameter in the search task, leading to arbitrary script execution or HTML rendering.
Description
AV Arcade - 'Search' Cross-Site Scripting / HTML Injection
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Vadim Toptunov · textwebappsphp
https://www.exploit-db.com/exploits/12519
This exploit demonstrates XSS and HTML injection vulnerabilities in AV Arcade's search field. The PoC provides example payloads that can be injected via the 'q' parameter in the search task, leading to arbitrary script execution or HTML rendering.
Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target:
AV Arcade v5.1.4 Free and Pro (and prior)
No auth needed
Prerequisites:
Access to the search functionality of AV Arcade
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
Details
Status
pre_cve
Tracked Since
Feb 18, 2026