EIP-2026-112395

PRE-CVE

Spitfire CMS 1.1.4 - Cross-Site Request Forgery

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-112395. PoCs published by Yashar shahinzadeh.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in Spitefire CMS 1.1.4, allowing attackers to add/edit administrator accounts or upload malicious files without user interaction. The PoC includes HTML/JavaScript for CSRF and details on file upload manipulation.

Description

Spitfire CMS 1.1.4 - Cross-Site Request Forgery

Exploits (1)

exploitdb WORKING POC

by Yashar shahinzadeh · textwebappsphp

https://www.exploit-db.com/exploits/27601

View Code ZIP pw:eip

This exploit demonstrates a CSRF vulnerability in Spitefire CMS 1.1.4, allowing attackers to add/edit administrator accounts or upload malicious files without user interaction. The PoC includes HTML/JavaScript for CSRF and details on file upload manipulation.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Spitefire CMS 1.1.4

No auth needed

Prerequisites: Victim must visit a malicious page · Target CMS must be Spitefire 1.1.4

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026