EIP-2026-113016

PRE-CVE

vBulletin Advanced User Tagging Mod - Persistent Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113016. PoCs published by []0iZy5.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in the Advanced User Tagging vBulletin plugin. The attacker can inject malicious JavaScript via the 'Hash Tag Subscriptions' feature, which executes when other users access the affected page.

Description

vBulletin Advanced User Tagging Mod - Persistent Cross-Site Scripting

Exploits (1)

exploitdb WORKING POC

by []0iZy5 · textwebappsphp

https://www.exploit-db.com/exploits/26734

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in the Advanced User Tagging vBulletin plugin. The attacker can inject malicious JavaScript via the 'Hash Tag Subscriptions' feature, which executes when other users access the affected page.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Advanced User Tagging vBulletin plugin (vBulletin 3.8.x, 4.x.x)

Auth required

Prerequisites: Authenticated user access to the vBulletin forum · Advanced User Tagging plugin installed

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026