EIP-2026-112394

PRE-CVE

Spitfire CMS 1.0.475 - PHP Object Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-112394. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates a PHP Object Injection vulnerability in Spitfire CMS 1.0.475 due to unsafe use of unserialize() on user-controlled cookie data. The PoC includes a curl command to trigger the vulnerability by sending a malicious serialized payload via the 'cms_backup_values' cookie.

Description

Spitfire CMS 1.0.475 - PHP Object Injection

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappsphp

https://www.exploit-db.com/exploits/51162

View Code ZIP pw:eip

This exploit demonstrates a PHP Object Injection vulnerability in Spitfire CMS 1.0.475 due to unsafe use of unserialize() on user-controlled cookie data. The PoC includes a curl command to trigger the vulnerability by sending a malicious serialized payload via the 'cms_backup_values' cookie.

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Spitfire CMS 1.0.475

Auth required

Prerequisites: Authenticated session · Ability to set arbitrary cookies

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026