EIP-2026-110632

PRE-CVE

PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-110632. PoCs published by S1lv3r.

AI-analyzed exploit summary This exploit abuses the PHP_SESSION_UPLOAD_PROGRESS feature in PHP 7.3.15-3 to inject malicious session data, triggering a race condition that leads to remote code execution via a reverse shell. The script uses multithreading to repeatedly send crafted POST requests with a malicious payload.

Description

PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection

Exploits (1)

exploitdb WORKING POC

by S1lv3r · pythonwebappsphp

https://www.exploit-db.com/exploits/50156

View Code ZIP pw:eip

This exploit abuses the PHP_SESSION_UPLOAD_PROGRESS feature in PHP 7.3.15-3 to inject malicious session data, triggering a race condition that leads to remote code execution via a reverse shell. The script uses multithreading to repeatedly send crafted POST requests with a malicious payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Racy

Target: PHP 7.3.15-3

No auth needed

Prerequisites: Target must have PHP 7.3.15-3 with session.upload_progress enabled · Attacker must be able to send POST requests to the target · Netcat listener must be set up to receive the reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026