EIP-2026-114605

PRE-CVE

ZenPhoto - Config Update / Command Execution

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-114605. PoCs published by Abysssec.

AI-analyzed exploit summary This PHP script exploits a vulnerability in Zenphoto <= 1.3 by sending a crafted POST request to 'zp-core/setup.php' to update MySQL configuration settings, potentially allowing an attacker to take control of the database and upload malicious files. The exploit leverages improper input validation in the setup process.

Description

ZenPhoto - Config Update / Command Execution

Exploits (1)

exploitdb WORKING POC VERIFIED

by Abysssec · phpwebappsphp

https://www.exploit-db.com/exploits/15114

View Code ZIP pw:eip

This PHP script exploits a vulnerability in Zenphoto <= 1.3 by sending a crafted POST request to 'zp-core/setup.php' to update MySQL configuration settings, potentially allowing an attacker to take control of the database and upload malicious files. The exploit leverages improper input validation in the setup process.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Zenphoto <= 1.3

No auth needed

Prerequisites: Access to the target's setup.php endpoint · Network connectivity to the attacker's MySQL host

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026