EIP-2026-107041

PRE-CVE

Family Connections 2.3.2 - 'subject' HTML Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-107041. PoCs published by Zero Science Lab.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Family Connections CMS 2.3.2 via the 'subject' parameter in messageboard.php and an XPath injection in getChat.php via the 'message' parameter. The PoC includes HTML forms to trigger both vulnerabilities.

Description

Family Connections 2.3.2 - 'subject' HTML Injection

Exploits (1)

exploitdb WORKING POC VERIFIED

by Zero Science Lab · textwebappsphp

https://www.exploit-db.com/exploits/35500

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Family Connections CMS 2.3.2 via the 'subject' parameter in messageboard.php and an XPath injection in getChat.php via the 'message' parameter. The PoC includes HTML forms to trigger both vulnerabilities.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Family Connections CMS 2.3.2

Auth required

Prerequisites: Access to a vulnerable instance of Family Connections CMS · Valid authentication credentials for XSS exploitation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026