EIP-2026-113253

PRE-CVE

webcalendar 0.9.x - Multiple Vulnerabilities

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113253. PoCs published by Joxean Koret.

AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in WebCalendar, including XSS, HTTP response splitting, and authentication bypass. The PoC provides URLs with crafted parameters to trigger these vulnerabilities.

Description

webcalendar 0.9.x - Multiple Vulnerabilities

Exploits (1)

exploitdb WORKING POC VERIFIED

by Joxean Koret · textwebappsphp

https://www.exploit-db.com/exploits/24729

View Code ZIP pw:eip

This exploit demonstrates multiple vulnerabilities in WebCalendar, including XSS, HTTP response splitting, and authentication bypass. The PoC provides URLs with crafted parameters to trigger these vulnerabilities.

Classification

Working Poc 90%

Attack Type

Xss | Auth Bypass | Other

Complexity

Trivial

Reliability

Reliable

Target: WebCalendar (version not specified)

No auth needed

Prerequisites: Access to the target WebCalendar instance

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026