EIP-2026-109087

PRE-CVE

Leafpub 1.1.9 - Stored Cross-Site Scripting (XSS)

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-109087. PoCs published by Ahmet Ümit BAYRAM.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Leafpub 1.1.9 by injecting malicious JavaScript into the 'Custom Code' field via the settings API. The payload is executed when the settings page is viewed, confirming the vulnerability.

Description

Leafpub 1.1.9 - Stored Cross-Site Scripting (XSS)

Exploits (1)

exploitdb WORKING POC

by Ahmet Ümit BAYRAM · textwebappsphp

https://www.exploit-db.com/exploits/52014

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Leafpub 1.1.9 by injecting malicious JavaScript into the 'Custom Code' field via the settings API. The payload is executed when the settings page is viewed, confirming the vulnerability.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Leafpub 1.1.9

Auth required

Prerequisites: Valid admin credentials · Access to the admin settings page

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026