EIP-2026-107507

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-107507. PoCs published by Chance Proctor.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in Grocy <= 4.0.2, allowing an attacker to create a new user via a crafted HTML form if the victim is logged in with Create User Permissions. The PoC uses a hidden form submission to bypass CSRF protection.

Description

Grocy <=4.0.2 - CSRF

Exploits (1)

exploitdb WORKING POC

by Chance Proctor · textwebappsphp

https://www.exploit-db.com/exploits/51760

View Code ZIP pw:eip

This exploit demonstrates a CSRF vulnerability in Grocy <= 4.0.2, allowing an attacker to create a new user via a crafted HTML form if the victim is logged in with Create User Permissions. The PoC uses a hidden form submission to bypass CSRF protection.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Grocy <= 4.0.2

Auth required

Prerequisites: Victim must be logged into Grocy with Create User Permissions · Attacker must deliver the HTML payload via XSS or phishing

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Grocy <=4.0.2 - CSRF

Exploitation Summary

Description

Exploits (1)

Details