EIP-2026-112984

PRE-CVE

vBulletin 2.x - 'private.php' Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-112984. PoCs published by JeiAr.

AI-analyzed exploit summary The writeup describes a cross-site scripting (XSS) vulnerability in vBulletin's 'private.php' script due to insufficient input sanitization. The issue allows injection of malicious script code via the 'forward' parameter, potentially leading to credential theft or other client-side attacks.

Description

vBulletin 2.x - 'private.php' Cross-Site Scripting

Exploits (1)

exploitdb WRITEUP VERIFIED

by JeiAr · textwebappsphp

https://www.exploit-db.com/exploits/23865

View Code ZIP pw:eip

The writeup describes a cross-site scripting (XSS) vulnerability in vBulletin's 'private.php' script due to insufficient input sanitization. The issue allows injection of malicious script code via the 'forward' parameter, potentially leading to credential theft or other client-side attacks.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: vBulletin (version unspecified)

No auth needed

Prerequisites: Access to the target vBulletin instance · Victim interaction to trigger the XSS payload

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026