EIP-2026-106129

PRE-CVE

Concrete5 CMS FlashUploader - Arbitrary '.SWF' File Upload

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-106129. PoCs published by AkaStep.

AI-analyzed exploit summary The provided text describes multiple vulnerabilities in Concrete CMS versions 5.5 and 5.5.21, including XSS, arbitrary file upload, and DoS. It lists affected SWF files but does not include functional exploit code.

Description

Concrete5 CMS FlashUploader - Arbitrary '.SWF' File Upload

Exploits (1)

exploitdb WRITEUP VERIFIED

by AkaStep · textwebappsphp

https://www.exploit-db.com/exploits/37226

View Code ZIP pw:eip

The provided text describes multiple vulnerabilities in Concrete CMS versions 5.5 and 5.5.21, including XSS, arbitrary file upload, and DoS. It lists affected SWF files but does not include functional exploit code.

Classification

Writeup 90%

Attack Type

Xss | Dos | Other

Complexity

Trivial

Reliability

Theoretical

Target: Concrete CMS 5.5, 5.5.21

No auth needed

Prerequisites: Access to vulnerable Concrete CMS instance

MITRE ATT&CK

T1059.007 - JavaScript T1499.004 - Application or System Exploitation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026