EIP-2026-106120

PRE-CVE

Concrete 5.4.1 1 - 'rcID' Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-106120. PoCs published by Aung Khant.

AI-analyzed exploit summary This is a functional proof-of-concept for a stored XSS vulnerability in Concrete CMS 5.4.1.1. The exploit leverages unsanitized input in the 'rcID' parameter to inject malicious JavaScript, which executes in the context of the affected site.

Description

Concrete 5.4.1 1 - 'rcID' Cross-Site Scripting

Exploits (1)

exploitdb WORKING POC VERIFIED

by Aung Khant · textwebappsphp

https://www.exploit-db.com/exploits/36076

View Code ZIP pw:eip

This is a functional proof-of-concept for a stored XSS vulnerability in Concrete CMS 5.4.1.1. The exploit leverages unsanitized input in the 'rcID' parameter to inject malicious JavaScript, which executes in the context of the affected site.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Concrete CMS 5.4.1.1

No auth needed

Prerequisites: Access to the login page of the target Concrete CMS instance

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026