EIP-2026-110729

PRE-CVE

PHP Melody 3.0 - Persistent Cross-Site Scripting (XSS)

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-110729. PoCs published by Vulnerability-Lab.

AI-analyzed exploit summary This is a proof-of-concept for a persistent XSS vulnerability in PHP Melody 3.0, where an attacker with editor privileges can inject malicious script code via the WYSIWYG editor (tinymce class). The payload is stored in the database and executed when other users or administrators view the affected content.

Description

PHP Melody 3.0 - Persistent Cross-Site Scripting (XSS)

Exploits (1)

exploitdb WORKING POC

by Vulnerability-Lab · textwebappsphp

https://www.exploit-db.com/exploits/50488

View Code ZIP pw:eip

This is a proof-of-concept for a persistent XSS vulnerability in PHP Melody 3.0, where an attacker with editor privileges can inject malicious script code via the WYSIWYG editor (tinymce class). The payload is stored in the database and executed when other users or administrators view the affected content.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: PHP Melody v3.0

Auth required

Prerequisites: Editor privileges in PHP Melody 3.0 · Access to the video editor module

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026