EIP-2026-113047

PRE-CVE

VehicleWorkshop - Arbitrary File Upload

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113047. PoCs published by Touhid M.Shaikh.

AI-analyzed exploit summary This exploit demonstrates an unrestricted file upload vulnerability in VehicleWorkshop, allowing authenticated users to upload malicious PHP files (e.g., a backdoor) via the 'sellvehicle.php' page. The vulnerability arises from improper file type validation in the PHP code, enabling remote code execution (RCE).

Description

VehicleWorkshop - Arbitrary File Upload

Exploits (1)

exploitdb WORKING POC

by Touhid M.Shaikh · textwebappsphp

https://www.exploit-db.com/exploits/42404

View Code ZIP pw:eip

This exploit demonstrates an unrestricted file upload vulnerability in VehicleWorkshop, allowing authenticated users to upload malicious PHP files (e.g., a backdoor) via the 'sellvehicle.php' page. The vulnerability arises from improper file type validation in the PHP code, enabling remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: VehicleWorkshop (version not specified)

Auth required

Prerequisites: Authenticated user account (customer or regular user) · Access to the 'sellvehicle.php' page

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1505.003 - Web Shell

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026