EIP-2026-107725

PRE-CVE

Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-107725. PoCs published by J3rryBl4nks.

AI-analyzed exploit summary This exploit demonstrates a Cross-Site Request Forgery (CSRF) vulnerability in Ice HRM 26.2.0, allowing arbitrary user creation or password changes via crafted HTML forms. The PoC includes functional code to trigger the vulnerability by submitting malicious requests to the target application.

Description

Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)

Exploits (1)

exploitdb WORKING POC

by J3rryBl4nks · textwebappsphp

https://www.exploit-db.com/exploits/48082

View Code ZIP pw:eip

This exploit demonstrates a Cross-Site Request Forgery (CSRF) vulnerability in Ice HRM 26.2.0, allowing arbitrary user creation or password changes via crafted HTML forms. The PoC includes functional code to trigger the vulnerability by submitting malicious requests to the target application.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Ice HRM 26.2.0

No auth needed

Prerequisites: Victim must visit a malicious webpage while authenticated to the target Ice HRM instance

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026