EIP-2026-113000

PRE-CVE

vBulletin 4.0.8 - Persistent Cross-Site Scripting via Profile Customization

Title source: legacy
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113000. PoCs published by MaXe.

AI-analyzed exploit summary The advisory details a persistent XSS vulnerability in vBulletin 4.0.8 via the Profile Customization feature, where insufficient input sanitization allows script injection through CSS functions like url(). It includes proof-of-concept payloads for both private and global XSS scenarios.

Description

vBulletin 4.0.8 - Persistent Cross-Site Scripting via Profile Customization

Exploits (1)

exploitdb WRITEUP VERIFIED
by MaXe · textwebappsphp
https://www.exploit-db.com/exploits/15550

The advisory details a persistent XSS vulnerability in vBulletin 4.0.8 via the Profile Customization feature, where insufficient input sanitization allows script injection through CSS functions like url(). It includes proof-of-concept payloads for both private and global XSS scenarios.

Classification
Writeup 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: vBulletin 4.0.8
Auth required
Prerequisites: Profile Customization feature enabled · Attacker must have a user account
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve
Tracked Since Feb 18, 2026