EIP-2026-112168

PRE-CVE

SiNG cms - 'Password.php' Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-112168. PoCs published by LiquidWorm.

AI-analyzed exploit summary This is a functional proof-of-concept for a stored XSS vulnerability in SiNG CMS 2.9.0. The exploit demonstrates how an attacker can inject arbitrary JavaScript code via the 'email' parameter in the password recovery form, which executes in the context of the victim's browser.

Description

SiNG cms - 'Password.php' Cross-Site Scripting

Exploits (1)

exploitdb WORKING POC VERIFIED

by LiquidWorm · htmlwebappsphp

https://www.exploit-db.com/exploits/37649

View Code ZIP pw:eip

This is a functional proof-of-concept for a stored XSS vulnerability in SiNG CMS 2.9.0. The exploit demonstrates how an attacker can inject arbitrary JavaScript code via the 'email' parameter in the password recovery form, which executes in the context of the victim's browser.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: SiNG CMS 2.9.0

No auth needed

Prerequisites: Victim interaction required (e.g., clicking a link or submitting a form)

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026