EIP-2026-112906

PRE-CVE

up.time 7.5.0 - Cross-Site Scripting / Cross-Site Request Forgery (Add Admin)

Title source: legacy
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-112906. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability to add an admin user and multiple reflected XSS vulnerabilities in up.time 7.5.0. The CSRF PoC submits a form to create an admin user, while the XSS examples show unsanitized input in various parameters.

Description

up.time 7.5.0 - Cross-Site Scripting / Cross-Site Request Forgery (Add Admin)

Exploits (1)

exploitdb WORKING POC
by LiquidWorm · textwebappsphp
https://www.exploit-db.com/exploits/37886

This exploit demonstrates a CSRF vulnerability to add an admin user and multiple reflected XSS vulnerabilities in up.time 7.5.0. The CSRF PoC submits a form to create an admin user, while the XSS examples show unsanitized input in various parameters.

Classification
Working Poc 95%
Attack Type
Xss | Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: up.time 7.5.0 (build 16) and 7.4.0 (build 13)
Auth required
Prerequisites: Victim must be logged in for CSRF · Reflected XSS requires user interaction
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve
Tracked Since Feb 18, 2026