EIP-2026-111297

PRE-CVE

Piwigo Plugin User Tag 0.9.0 - Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-111297. PoCs published by Touhid M.Shaikh.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in the Piwigo User Tag plugin (version 0.9.0). The attacker can inject malicious JavaScript via the 'tags' parameter, which is stored in the server's database and executed when other users view the tagged photo.

Description

Piwigo Plugin User Tag 0.9.0 - Cross-Site Scripting

Exploits (1)

exploitdb WORKING POC

by Touhid M.Shaikh · textwebappsphp

https://www.exploit-db.com/exploits/42443

View Code ZIP pw:eip

This exploit demonstrates a persistent XSS vulnerability in the Piwigo User Tag plugin (version 0.9.0). The attacker can inject malicious JavaScript via the 'tags' parameter, which is stored in the server's database and executed when other users view the tagged photo.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Piwigo User Tag plugin 0.9.0

No auth needed

Prerequisites: Admin must allow users or guests to add tags in the User Tag plugin options

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026