EIP-2026-108069

PRE-CVE

jBilling 3.0.2 - Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-108069. PoCs published by Woody Hughes.

AI-analyzed exploit summary This advisory details a Cross-Site Scripting (XSS) vulnerability in jBilling 3.0.2, where malicious iframe tags can be injected via the 'notes' section in order creation or the 'description' field in customer details. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a victim's session.

Description

jBilling 3.0.2 - Cross-Site Scripting

Exploits (1)

exploitdb WRITEUP VERIFIED

by Woody Hughes · textwebappsphp

https://www.exploit-db.com/exploits/22906

View Code ZIP pw:eip

This advisory details a Cross-Site Scripting (XSS) vulnerability in jBilling 3.0.2, where malicious iframe tags can be injected via the 'notes' section in order creation or the 'description' field in customer details. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a victim's session.

Classification

Writeup 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: jBilling 3.0.2

Auth required

Prerequisites: Valid user credentials with 'Add User' or customer creation privileges

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026