EIP-2026-106136
PRE-CVEConstructr CMS 3.03 - Multiple Remote Vulnerabilities
Title source: legacyExploitation Summary
EIP tracks 1 public exploit for EIP-2026-106136. PoCs published by LiquidWorm.
AI-analyzed exploit summary The exploit demonstrates SQL injection via the 'page_id' parameter and reflected XSS via 'user' and 'hash' parameters in Constructr CMS 3.03. The PoC includes direct URLs with injection points, confirming functional exploitability.
Description
Constructr CMS 3.03 - Multiple Remote Vulnerabilities
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by LiquidWorm · textwebappsphp
https://www.exploit-db.com/exploits/16963
The exploit demonstrates SQL injection via the 'page_id' parameter and reflected XSS via 'user' and 'hash' parameters in Constructr CMS 3.03. The PoC includes direct URLs with injection points, confirming functional exploitability.
Classification
Working Poc 90%
Attack Type
Sqli | Xss
Complexity
Trivial
Reliability
Reliable
Target:
Constructr CMS 3.03
No auth needed
Prerequisites:
Network access to the target application
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026
Full analysis →
Details
Status
pre_cve
Tracked Since
Feb 18, 2026