EIP-2026-105328
PRE-CVEAvailability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS)
Title source: legacyExploitation Summary
EIP tracks 1 public exploit for EIP-2026-105328. PoCs published by Andrey Stoykov.
AI-analyzed exploit summary This exploit demonstrates two XSS vulnerabilities in Availability Booking Calendar v1.0: one via the promo code field and another via SVG file upload. Both are confirmed with HTTP request/response examples.
Description
Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS)
Exploits (1)
exploitdb
WORKING POC
by Andrey Stoykov · textwebappsphp
https://www.exploit-db.com/exploits/51626
This exploit demonstrates two XSS vulnerabilities in Availability Booking Calendar v1.0: one via the promo code field and another via SVG file upload. Both are confirmed with HTTP request/response examples.
Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target:
Availability Booking Calendar v1.0
Auth required
Prerequisites:
Access to the booking edit functionality · Ability to upload files in the user account section
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
Details
Status
pre_cve
Tracked Since
Feb 18, 2026