EIP-2026-114416

PRE-CVE

XCMS v1.83 - Remote Command Execution (RCE)

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-114416. PoCs published by Onurcan.

AI-analyzed exploit summary This exploit demonstrates a Remote Command Execution (RCE) vulnerability in XCMS v1.83 by leveraging an unauthenticated file inclusion flaw in the footer modification functionality. The exploit allows an attacker to inject arbitrary PHP code into the footer file, leading to full system compromise.

Description

XCMS v1.83 - Remote Command Execution (RCE)

Exploits (1)

exploitdb WORKING POC

by Onurcan · textwebappsphp

https://www.exploit-db.com/exploits/51184

View Code ZIP pw:eip

This exploit demonstrates a Remote Command Execution (RCE) vulnerability in XCMS v1.83 by leveraging an unauthenticated file inclusion flaw in the footer modification functionality. The exploit allows an attacker to inject arbitrary PHP code into the footer file, leading to full system compromise.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: XCMS v1.83

No auth needed

Prerequisites: Access to the target XCMS installation · Network connectivity to the target

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026