EIP-2026-112251

PRE-CVE

SMF - '/index.php' HTML Injection / Multiple PHP Code Injection Vulnerabilities

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-112251. PoCs published by Jakub Galczyk.

AI-analyzed exploit summary This PoC demonstrates a PHP code injection vulnerability in SMF 2.0.4 by exploiting improper input sanitization in language settings. It requires admin credentials and injects arbitrary PHP code via the 'dictionary' parameter.

Description

SMF - '/index.php' HTML Injection / Multiple PHP Code Injection Vulnerabilities

Exploits (1)

exploitdb WORKING POC VERIFIED

by Jakub Galczyk · phpwebappsphp

https://www.exploit-db.com/exploits/38491

View Code ZIP pw:eip

This PoC demonstrates a PHP code injection vulnerability in SMF 2.0.4 by exploiting improper input sanitization in language settings. It requires admin credentials and injects arbitrary PHP code via the 'dictionary' parameter.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Simple Machines Forum (SMF) 2.0.4

Auth required

Prerequisites: Admin credentials for SMF · Valid admin session cookie

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026