EIP-2026-106923

PRE-CVE

eTransfer Lite - 'file name' HTML Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-106923. PoCs published by Benjamin Kunz Mejri.

AI-analyzed exploit summary The provided text describes an HTML-injection vulnerability in eTransfer Lite 1.0, where user-supplied input is not properly sanitized, allowing attacker-supplied HTML or JavaScript code to execute in the context of the affected site. The example demonstrates persistent XSS via crafted file names in the application's file listing functionality.

Description

eTransfer Lite - 'file name' HTML Injection

Exploits (1)

exploitdb WRITEUP VERIFIED

by Benjamin Kunz Mejri · textwebappsphp

https://www.exploit-db.com/exploits/38754

View Code ZIP pw:eip

The provided text describes an HTML-injection vulnerability in eTransfer Lite 1.0, where user-supplied input is not properly sanitized, allowing attacker-supplied HTML or JavaScript code to execute in the context of the affected site. The example demonstrates persistent XSS via crafted file names in the application's file listing functionality.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: eTransfer Lite 1.0

No auth needed

Prerequisites: Access to upload or modify file names in the application

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026