EIP-2026-110962

PRE-CVE

phpBB 2.0.6 - URL BBCode HTML Injection

Title source: legacy
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-110962. PoCs published by keupon_ps2.

AI-analyzed exploit summary This exploit demonstrates an HTML injection vulnerability in phpBB's BBCode parsing, allowing arbitrary JavaScript execution via malformed URL tags. The PoC shows how an attacker can inject malicious scripts into posts or messages due to insufficient sanitization.

Description

phpBB 2.0.6 - URL BBCode HTML Injection

Exploits (1)

exploitdb WORKING POC VERIFIED
by keupon_ps2 · textwebappsphp
https://www.exploit-db.com/exploits/23125

This exploit demonstrates an HTML injection vulnerability in phpBB's BBCode parsing, allowing arbitrary JavaScript execution via malformed URL tags. The PoC shows how an attacker can inject malicious scripts into posts or messages due to insufficient sanitization.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: phpBB (version not specified)
No auth needed
Prerequisites: Access to a phpBB instance where BBCode is rendered
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve
Tracked Since Feb 18, 2026