EIP-2026-109314

PRE-CVE

Manila 9.0.1 - Multiple Cross-Site Scripting Vulnerabilities

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-109314. PoCs published by Aaron Kaplan.

AI-analyzed exploit summary The exploit demonstrates multiple XSS vulnerabilities in Manila by injecting arbitrary script code via unsanitized input in the 'mode' and 'referer' parameters. The PoC includes direct URLs with payloads that trigger JavaScript execution in the context of the affected site.

Description

Manila 9.0.1 - Multiple Cross-Site Scripting Vulnerabilities

Exploits (1)

exploitdb WORKING POC VERIFIED

by Aaron Kaplan · textwebappsphp

https://www.exploit-db.com/exploits/27666

View Code ZIP pw:eip

The exploit demonstrates multiple XSS vulnerabilities in Manila by injecting arbitrary script code via unsanitized input in the 'mode' and 'referer' parameters. The PoC includes direct URLs with payloads that trigger JavaScript execution in the context of the affected site.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Manila

No auth needed

Prerequisites: Access to the target application · User interaction to visit crafted URLs

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026