EIP-2026-107318

PRE-CVE

Fusionphp Fusion News 3.3/3.6 - X-Forworded-For PHP Script Code Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-107318. PoCs published by Network security team.

AI-analyzed exploit summary This exploit targets a PHP code injection vulnerability in FusionPHP Fusion News v3.6.1 by injecting malicious PHP code into the 'X-FORWORDEDFOR' header, which is then written to a template file. The exploit allows remote command execution via crafted GET parameters.

Description

Fusionphp Fusion News 3.3/3.6 - X-Forworded-For PHP Script Code Injection

Exploits (1)

exploitdb WORKING POC VERIFIED

by Network security team · phpwebappsphp

https://www.exploit-db.com/exploits/25681

View Code ZIP pw:eip

This exploit targets a PHP code injection vulnerability in FusionPHP Fusion News v3.6.1 by injecting malicious PHP code into the 'X-FORWORDEDFOR' header, which is then written to a template file. The exploit allows remote command execution via crafted GET parameters.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: FusionPHP Fusion News v3.6.1

No auth needed

Prerequisites: Target must be running FusionPHP Fusion News v3.6.1 · The 'comments.php' endpoint must be accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026