EIP-2026-112977

PRE-CVE

vBSEO 3.2.2/3.5.2 - Persistent Cross-Site Scripting via LinkBacks

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-112977. PoCs published by MaXe.

AI-analyzed exploit summary The advisory describes a persistent XSS vulnerability in vBSEO versions 3.5.2 and 3.2.2, caused by insufficient sanitization of external website titles. The exploit involves crafting a malicious HTML page with an XSS payload in the title tag, which is then saved by vBSEO's LinkBack feature.

Description

vBSEO 3.2.2/3.5.2 - Persistent Cross-Site Scripting via LinkBacks

Exploits (1)

exploitdb WRITEUP VERIFIED

by MaXe · textwebappsphp

https://www.exploit-db.com/exploits/16076

View Code ZIP pw:eip

The advisory describes a persistent XSS vulnerability in vBSEO versions 3.5.2 and 3.2.2, caused by insufficient sanitization of external website titles. The exploit involves crafting a malicious HTML page with an XSS payload in the title tag, which is then saved by vBSEO's LinkBack feature.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: vBSEO 3.5.2, 3.2.2 (likely all versions)

No auth needed

Prerequisites: vBSEO LinkBack feature enabled · Attacker-controlled external website

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026