EIP-2026-109498

PRE-CVE

Mix Systems CMS - 'parent/id' SQL Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-109498. PoCs published by halkfild.

AI-analyzed exploit summary This PHP script exploits SQL injection vulnerabilities in Mix Systems CMS via two different plugins (katalog and photogall) to dump user credentials (id, login, password, email) from the database. It uses UNION-based SQLi with pattern matching to extract and display the data.

Description

Mix Systems CMS - 'parent/id' SQL Injection

Exploits (1)

exploitdb WORKING POC VERIFIED

by halkfild · phpwebappsphp

https://www.exploit-db.com/exploits/5099

View Code ZIP pw:eip

This PHP script exploits SQL injection vulnerabilities in Mix Systems CMS via two different plugins (katalog and photogall) to dump user credentials (id, login, password, email) from the database. It uses UNION-based SQLi with pattern matching to extract and display the data.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Mix Systems CMS (version unspecified)

No auth needed

Prerequisites: Target must be running vulnerable Mix Systems CMS with exposed plugin endpoints

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026