EIP-2026-106125

PRE-CVE

Concrete5 CMS 5.6.1.2 - Multiple Vulnerabilities

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-106125. PoCs published by expl0i13r.

AI-analyzed exploit summary The exploit demonstrates multiple CSRF and Stored XSS vulnerabilities in concrete5 CMS v5.6.1.2, including modifying SMTP settings, mail importer settings, deleting form results, and executing arbitrary JavaScript via stored XSS payloads.

Description

Concrete5 CMS 5.6.1.2 - Multiple Vulnerabilities

Exploits (1)

exploitdb WORKING POC

by expl0i13r · textwebappsphp

https://www.exploit-db.com/exploits/26077

View Code ZIP pw:eip

The exploit demonstrates multiple CSRF and Stored XSS vulnerabilities in concrete5 CMS v5.6.1.2, including modifying SMTP settings, mail importer settings, deleting form results, and executing arbitrary JavaScript via stored XSS payloads.

Classification

Working Poc 95%

Attack Type

Xss | Csrf

Complexity

Moderate

Reliability

Reliable

Target: concrete5 CMS v5.6.1.2

Auth required

Prerequisites: Victim must be authenticated and visit a malicious page · Attacker must know specific form IDs (e.g., qsID)

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026