EIP-2026-112394

This exploit demonstrates a PHP Object Injection vulnerability in Spitfire CMS 1.0.475 due to unsafe use of unserialize() on user-controlled cookie data. The PoC includes a curl command to trigger the vulnerability by sending a malicious serialized payload via the 'cms_backup_values' cookie.