EIP-2026-114615

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-114615. PoCs published by mister0xf.

AI-analyzed exploit summary This exploit demonstrates an authenticated command injection vulnerability in Zentao Project Management System 17.0, allowing remote code execution via the 'client' parameter in a POST request to the repo creation endpoint. The exploit authenticates, then injects a command into the 'client' field, which is executed via the 'exec' function in the vulnerable PHP code.

Description

Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE)

Exploits (1)

exploitdb WORKING POC

by mister0xf · textwebappsphp

https://www.exploit-db.com/exploits/51069

View Code ZIP pw:eip

This exploit demonstrates an authenticated command injection vulnerability in Zentao Project Management System 17.0, allowing remote code execution via the 'client' parameter in a POST request to the repo creation endpoint. The exploit authenticates, then injects a command into the 'client' field, which is executed via the 'exec' function in the vulnerable PHP code.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Zentao Project Management System 17.0

Auth required

Prerequisites: Valid credentials for the target system · Access to the repo creation endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE)

Exploitation Summary

Description

Exploits (1)

Details