EIP-2026-119670

PRE-CVE

BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-119670. PoCs published by Daniel Martinez Adan.

AI-analyzed exploit summary This document details an XXE vulnerability in BlogEngine 3.3 via the 'syndication.axd' endpoint, demonstrating SSRF and OOB data exfiltration techniques. It includes attack patterns and payload examples but does not contain functional exploit code.

Description

BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection

Exploits (1)

exploitdb WRITEUP

by Daniel Martinez Adan · textwebappsxml

https://www.exploit-db.com/exploits/48422

View Code ZIP pw:eip

This document details an XXE vulnerability in BlogEngine 3.3 via the 'syndication.axd' endpoint, demonstrating SSRF and OOB data exfiltration techniques. It includes attack patterns and payload examples but does not contain functional exploit code.

Classification

Writeup 90%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: BlogEngine 3.3

No auth needed

Prerequisites: Network access to the target BlogEngine instance · Ability to host external DTD files or control a collaborator server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026