EIP-2026-110377

PRE-CVE

osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-110377. PoCs published by Emre Aslan.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in osCommerce 2.3.4.1 via the 'title' parameter in the admin newsletter module. The payload is injected into the title field and executed when the newsletter is viewed.

Description

osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting

Exploits (1)

exploitdb WORKING POC

by Emre Aslan · textwebappsphp

https://www.exploit-db.com/exploits/49103

View Code ZIP pw:eip

This exploit demonstrates a persistent XSS vulnerability in osCommerce 2.3.4.1 via the 'title' parameter in the admin newsletter module. The payload is injected into the title field and executed when the newsletter is viewed.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: osCommerce 2.3.4.1

Auth required

Prerequisites: Admin access to osCommerce · Newsletter module enabled

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026