EIP-2026-114419

PRE-CVE

XenAPI 1.4.1 for XenForo - Multiple SQL Injections

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-114419. PoCs published by Julien Ahrens.

AI-analyzed exploit summary The advisory describes unauthenticated SQL injection vulnerabilities in XenAPI for XenForo v1.4.1, allowing attackers to extract sensitive database information via crafted requests to the 'getUsers' and 'getGroup' endpoints.

Description

XenAPI 1.4.1 for XenForo - Multiple SQL Injections

Exploits (1)

exploitdb WRITEUP VERIFIED

by Julien Ahrens · textwebappsphp

https://www.exploit-db.com/exploits/39849

View Code ZIP pw:eip

The advisory describes unauthenticated SQL injection vulnerabilities in XenAPI for XenForo v1.4.1, allowing attackers to extract sensitive database information via crafted requests to the 'getUsers' and 'getGroup' endpoints.

Classification

Writeup 100%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: XenAPI for XenForo v1.4.1

No auth needed

Prerequisites: Network access to the target XenForo instance

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026