EIP-2026-106960

PRE-CVE

Expense Tracker 1.0 - 'Expense Name' Stored Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-106960. PoCs published by Shivam Verma.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Expense Tracker 1.0, where an attacker can inject malicious JavaScript payloads into the 'Expense Name' field. The payload executes when an admin or user accesses the compromised section, potentially leading to cookie theft.

Description

Expense Tracker 1.0 - 'Expense Name' Stored Cross-Site Scripting

Exploits (1)

exploitdb WORKING POC

by Shivam Verma · textwebappsphp

https://www.exploit-db.com/exploits/49373

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Expense Tracker 1.0, where an attacker can inject malicious JavaScript payloads into the 'Expense Name' field. The payload executes when an admin or user accesses the compromised section, potentially leading to cookie theft.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Expense Tracker 1.0

Auth required

Prerequisites: Access to the 'Add Expense Category' feature · Admin or user interaction with the compromised section

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026