EIP-2026-112413

PRE-CVE

SquirrelMail Virtual Keyboard Plugin - 'vkeyboard.php' Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-112413. PoCs published by Moritz Naumann.

AI-analyzed exploit summary The exploit demonstrates a cross-site scripting (XSS) vulnerability in the Virtual Keyboard plugin for SquirrelMail by injecting malicious JavaScript via the 'passformname' parameter. The payload bypasses input sanitization and executes arbitrary script code in the context of the affected site.

Description

SquirrelMail Virtual Keyboard Plugin - 'vkeyboard.php' Cross-Site Scripting

Exploits (1)

exploitdb WORKING POC VERIFIED

by Moritz Naumann · textwebappsphp

https://www.exploit-db.com/exploits/34814

View Code ZIP pw:eip

The exploit demonstrates a cross-site scripting (XSS) vulnerability in the Virtual Keyboard plugin for SquirrelMail by injecting malicious JavaScript via the 'passformname' parameter. The payload bypasses input sanitization and executes arbitrary script code in the context of the affected site.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Virtual Keyboard plugin for SquirrelMail 0.9.1 and prior

No auth needed

Prerequisites: Access to the vulnerable plugin endpoint

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026