EIP-2026-111301

PRE-CVE

Piwik 2.16.0 - 'layout' PHP Object Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-111301. PoCs published by Egidio Romano.

AI-analyzed exploit summary The writeup describes a PHP object injection vulnerability in Piwik <= 2.16.0 via the `saveLayout` method, exploitable through session corruption due to MySQL UTF8 truncation. It allows unauthenticated attackers to inject arbitrary PHP objects, leading to SSRF, file deletion, or code execution under specific conditions.

Description

Piwik 2.16.0 - 'layout' PHP Object Injection

Exploits (1)

exploitdb WRITEUP

by Egidio Romano · textwebappsphp

https://www.exploit-db.com/exploits/40724

View Code ZIP pw:eip

The writeup describes a PHP object injection vulnerability in Piwik <= 2.16.0 via the `saveLayout` method, exploitable through session corruption due to MySQL UTF8 truncation. It allows unauthenticated attackers to inject arbitrary PHP objects, leading to SSRF, file deletion, or code execution under specific conditions.

Classification

Writeup 100%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Piwik <= 2.16.0

No auth needed

Prerequisites: Piwik using database session storage (dbtable option) · PHP < 5.4.45, 5.5.29, or 5.6.13 · MySQL without utf8mb4 collation

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026