EIP-2026-119409

PRE-CVE

Netwin SurgeFTP Sever 23d6 - Persistent Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-119409. PoCs published by Un_N0n.

AI-analyzed exploit summary This document describes stored XSS vulnerabilities in Netwin SurgeFTP Server version 23d6, detailing how to exploit them via the 'Domain Name' and 'Mirrors' fields using crafted payloads. It also critiques the vendor's ineffective blacklisting approach.

Description

Netwin SurgeFTP Sever 23d6 - Persistent Cross-Site Scripting

Exploits (1)

exploitdb WRITEUP VERIFIED

by Un_N0n · textwebappswindows

https://www.exploit-db.com/exploits/38762

View Code ZIP pw:eip

This document describes stored XSS vulnerabilities in Netwin SurgeFTP Server version 23d6, detailing how to exploit them via the 'Domain Name' and 'Mirrors' fields using crafted payloads. It also critiques the vendor's ineffective blacklisting approach.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Netwin SurgeFTP Server 23d6

Auth required

Prerequisites: Access to SurgeFTP web interface · Valid credentials to modify domain or mirror settings

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026