EIP-2026-111212

PRE-CVE

phpStats 0.1.9 - 'PHP-Stats-options.php' Remote Code Execution

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-111212. PoCs published by rgod.

AI-analyzed exploit summary This exploit leverages a PHP code injection vulnerability in PhpStats <= 0.1.9.1b by injecting malicious PHP code into the 'report_w_day' parameter, which is then executed via the admin interface. The exploit sends a crafted POST request to inject the payload and a subsequent GET request to trigger command execution.

Description

phpStats 0.1.9 - 'PHP-Stats-options.php' Remote Code Execution

Exploits (1)

exploitdb WORKING POC VERIFIED

by rgod · phpwebappsphp

https://www.exploit-db.com/exploits/29751

View Code ZIP pw:eip

This exploit leverages a PHP code injection vulnerability in PhpStats <= 0.1.9.1b by injecting malicious PHP code into the 'report_w_day' parameter, which is then executed via the admin interface. The exploit sends a crafted POST request to inject the payload and a subsequent GET request to trigger command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PhpStats <= 0.1.9.1b

Auth required

Prerequisites: Admin credentials · Access to the admin interface

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026