EIP-2026-109943

PRE-CVE

No-CMS 0.6.6 rev 1 - Admin Account Hijacking / Remote Code Execution via Static Encryption Key

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-109943. PoCs published by Mehmet Ince.

AI-analyzed exploit summary This exploit leverages a static encryption key in No-CMS to forge administrator session cookies, enabling account hijacking and potential RCE via theme/module upload. It decrypts and manipulates session data to escalate privileges.

Description

No-CMS 0.6.6 rev 1 - Admin Account Hijacking / Remote Code Execution via Static Encryption Key

Exploits (1)

exploitdb WORKING POC VERIFIED

by Mehmet Ince · phpwebappsphp

https://www.exploit-db.com/exploits/32976

View Code ZIP pw:eip

This exploit leverages a static encryption key in No-CMS to forge administrator session cookies, enabling account hijacking and potential RCE via theme/module upload. It decrypts and manipulates session data to escalate privileges.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: No-CMS (CodeIgniter-based CMS)

No auth needed

Prerequisites: Access to a valid session cookie · No-CMS installation with unpatched static encryption key

MITRE ATT&CK

T1552 - Unsecured Credentials T1550.004 - Web Session Cookie

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026