EIP-2026-106788

PRE-CVE

eFront 3.6.15 - PHP Object Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-106788. PoCs published by Filippo Roncari.

AI-analyzed exploit summary This is a detailed technical writeup describing a PHP Object Injection vulnerability in eFront 3.6.15, caused by unsafe use of unserialize() in the copy.php script. The vulnerability allows authenticated professors to inject malicious serialized objects via the 'transfered' parameter, though exploitation is limited due to lack of useful magic methods.

Description

eFront 3.6.15 - PHP Object Injection

Exploits (1)

exploitdb WRITEUP

by Filippo Roncari · textwebappsphp

https://www.exploit-db.com/exploits/36991

View Code ZIP pw:eip

This is a detailed technical writeup describing a PHP Object Injection vulnerability in eFront 3.6.15, caused by unsafe use of unserialize() in the copy.php script. The vulnerability allows authenticated professors to inject malicious serialized objects via the 'transfered' parameter, though exploitation is limited due to lack of useful magic methods.

Classification

Writeup 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Theoretical

Target: eFront 3.6.15

Auth required

Prerequisites: Authenticated as a Professor · Access to the copy.php script

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026