EIP-2026-111542

PRE-CVE

ProjectSend r754 - Insecure Direct Object Reference

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-111542. PoCs published by Vulnerability-Lab.

AI-analyzed exploit summary This advisory details an Insecure Direct Object Reference (IDOR) and authentication bypass vulnerability in ProjectSend r754, allowing attackers to access other clients' private files by manipulating the 'client' and 'file' parameters in the 'process.php?do=zip_download' endpoint.

Description

ProjectSend r754 - Insecure Direct Object Reference

Exploits (1)

exploitdb WRITEUP

by Vulnerability-Lab · textwebappsphp

https://www.exploit-db.com/exploits/41433

View Code ZIP pw:eip

This advisory details an Insecure Direct Object Reference (IDOR) and authentication bypass vulnerability in ProjectSend r754, allowing attackers to access other clients' private files by manipulating the 'client' and 'file' parameters in the 'process.php?do=zip_download' endpoint.

Classification

Writeup 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: ProjectSend r754

Auth required

Prerequisites: Low-privilege user account · Access to the vulnerable endpoint

MITRE ATT&CK

T1222 - File and Directory Permissions Modification T1021 - Remote Services

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026