EIP-2026-110776

PRE-CVE

PHP TopSites 2.1 - '/rate.php' Cross-Site Scripting / SQL Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-110776. PoCs published by c0de Hunters.

AI-analyzed exploit summary The exploit demonstrates SQL injection and XSS vulnerabilities in PHP TopSites 2.1 by providing crafted URIs that extract user credentials and execute arbitrary JavaScript. The SQLi example uses UNION-based injection to dump email and password data, while the XSS example injects a script tag.

Description

PHP TopSites 2.1 - '/rate.php' Cross-Site Scripting / SQL Injection

Exploits (1)

exploitdb WORKING POC VERIFIED

by c0de Hunters · textwebappsphp

https://www.exploit-db.com/exploits/35109

View Code ZIP pw:eip

The exploit demonstrates SQL injection and XSS vulnerabilities in PHP TopSites 2.1 by providing crafted URIs that extract user credentials and execute arbitrary JavaScript. The SQLi example uses UNION-based injection to dump email and password data, while the XSS example injects a script tag.

Classification

Working Poc 90%

Attack Type

Sqli | Xss

Complexity

Trivial

Reliability

Reliable

Target: PHP TopSites 2.1

No auth needed

Prerequisites: Access to the vulnerable PHP TopSites instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026