EIP-2026-111451

PRE-CVE

PowerMovieList 0.13/0.14 - Edit User HTML Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-111451. PoCs published by MP.

AI-analyzed exploit summary This Perl script exploits an XSS vulnerability in PowerMovieList <= 0.14 Beta by injecting malicious JavaScript into the 'email' field during user registration, which exfiltrates cookies to an attacker-controlled server. The script automates the attack by sending multiple requests, optionally through a proxy.

Description

PowerMovieList 0.13/0.14 - Edit User HTML Injection

Exploits (1)

exploitdb WORKING POC VERIFIED

by MP · perlwebappsphp

https://www.exploit-db.com/exploits/28823

View Code ZIP pw:eip

This Perl script exploits an XSS vulnerability in PowerMovieList <= 0.14 Beta by injecting malicious JavaScript into the 'email' field during user registration, which exfiltrates cookies to an attacker-controlled server. The script automates the attack by sending multiple requests, optionally through a proxy.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: PowerMovieList <= 0.14 Beta

No auth needed

Prerequisites: Target application accessible via HTTP · Attacker-controlled server to receive exfiltrated cookies

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026