EIP-2026-113001

PRE-CVE

vBulletin 4.0.8 PL1 - Cross-Site Scripting Filter Bypass within Profile Customization

Title source: legacy
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113001. PoCs published by MaXe.

AI-analyzed exploit summary This advisory details a persistent XSS vulnerability in vBulletin 4.0.8 PL1, where insufficient sanitization of the `url()` function in profile customization fields allows script execution. The PoC demonstrates bypassing the XSS filter using `vbscript:msgbox("X/SS")`.

Description

vBulletin 4.0.8 PL1 - Cross-Site Scripting Filter Bypass within Profile Customization

Exploits (1)

exploitdb WRITEUP VERIFIED
by MaXe · textwebappsphp
https://www.exploit-db.com/exploits/15590

This advisory details a persistent XSS vulnerability in vBulletin 4.0.8 PL1, where insufficient sanitization of the `url()` function in profile customization fields allows script execution. The PoC demonstrates bypassing the XSS filter using `vbscript:msgbox("X/SS")`.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: vBulletin 4.0.8 PL1
Auth required
Prerequisites: Profile customization feature enabled · User authentication
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve
Tracked Since Feb 18, 2026