EIP-2026-114484

PRE-CVE

XpressEngine 1.4.5.7 - Persistent Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-114484. PoCs published by v0nSch3lling.

AI-analyzed exploit summary This is a technical writeup detailing two persistent XSS vulnerabilities in XpressEngine 1.4.5.7, affecting administrator interfaces via nickname, homepage, and blog fields. It describes the attack vectors, exploitation conditions, and constraints (e.g., nickname length manipulation).

Description

XpressEngine 1.4.5.7 - Persistent Cross-Site Scripting

Exploits (1)

exploitdb WRITEUP VERIFIED

by v0nSch3lling · textwebappsphp

https://www.exploit-db.com/exploits/17639

View Code ZIP pw:eip

This is a technical writeup detailing two persistent XSS vulnerabilities in XpressEngine 1.4.5.7, affecting administrator interfaces via nickname, homepage, and blog fields. It describes the attack vectors, exploitation conditions, and constraints (e.g., nickname length manipulation).

Classification

Writeup 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: XpressEngine version 1.4.5.7

Auth required

Prerequisites: Access to modify user profile fields (nickname, homepage, blog) · Administrator interaction with vulnerable pages

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026