EIP-2026-113266

PRE-CVE

Webedition CMS v2.9.8.8 - Blind SSRF

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113266. PoCs published by Mirabbas Ağalarov.

AI-analyzed exploit summary The exploit demonstrates a Blind SSRF vulnerability in Webedition CMS v2.9.8.8 by sending a crafted POST request to the `rpc.php` endpoint with a malicious URL in the `we_cmd[0]` parameter. The vulnerability allows an attacker to force the server to make arbitrary HTTP requests to internal or external resources.

Description

Webedition CMS v2.9.8.8 - Blind SSRF

Exploits (1)

exploitdb WORKING POC

by Mirabbas Ağalarov · textwebappsphp

https://www.exploit-db.com/exploits/51743

View Code ZIP pw:eip

The exploit demonstrates a Blind SSRF vulnerability in Webedition CMS v2.9.8.8 by sending a crafted POST request to the `rpc.php` endpoint with a malicious URL in the `we_cmd[0]` parameter. The vulnerability allows an attacker to force the server to make arbitrary HTTP requests to internal or external resources.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Webedition CMS v2.9.8.8

Auth required

Prerequisites: Access to the target application · Valid session cookie (WESESSION)

MITRE ATT&CK

T1189 - Drive-by Compromise T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026