EIP-2026-110806

PRE-CVE

PHP-Fusion 6.0.106 - BBCode IMG Tag Script Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-110806. PoCs published by Easyex.

AI-analyzed exploit summary This exploit leverages PHP-Fusion's [img] BBCode tag to trick administrators into executing unauthorized actions (e.g., user deletion, banning) by embedding malicious URLs in signatures or posts. The PoC generates exploit strings for different versions (5.x/6.x) and actions.

Description

PHP-Fusion 6.0.106 - BBCode IMG Tag Script Injection

Exploits (1)

exploitdb WORKING POC VERIFIED

by Easyex · cwebappsphp

https://www.exploit-db.com/exploits/1135

View Code ZIP pw:eip

This exploit leverages PHP-Fusion's [img] BBCode tag to trick administrators into executing unauthorized actions (e.g., user deletion, banning) by embedding malicious URLs in signatures or posts. The PoC generates exploit strings for different versions (5.x/6.x) and actions.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: PHP-Fusion 5.x/6.x (specifically <= 6.00.106)

No auth needed

Prerequisites: Administrator must view the malicious [img] tag in a post/signature · Target must be running vulnerable PHP-Fusion version

MITRE ATT&CK

T1189 - Drive-by Compromise T1204 - User Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026