EIP-2026-106590

PRE-CVE

Drupal Module CKEditor 3.0 < 3.6.2 - Persistent EventHandler Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-106590. PoCs published by MaXe.

AI-analyzed exploit summary This is a writeup detailing a persistent XSS vulnerability in Drupal CKEditor versions 3.0 to 3.6.2. The exploit involves injecting an event handler (e.g., onload) into an image tag, which executes JavaScript when previewed or edited in HTML mode.

Description

Drupal Module CKEditor 3.0 < 3.6.2 - Persistent EventHandler Cross-Site Scripting

Exploits (1)

exploitdb WRITEUP VERIFIED

by MaXe · textwebappsphp

https://www.exploit-db.com/exploits/18389

View Code ZIP pw:eip

This is a writeup detailing a persistent XSS vulnerability in Drupal CKEditor versions 3.0 to 3.6.2. The exploit involves injecting an event handler (e.g., onload) into an image tag, which executes JavaScript when previewed or edited in HTML mode.

Classification

Writeup 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Drupal CKEditor 3.0 - 3.6.2

Auth required

Prerequisites: Access to a Drupal instance with CKEditor enabled · Ability to inject malicious content into a field using CKEditor

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026