EIP-2026-119671

PRE-CVE

Citrix StoreFront Server 7.15 - XML External Entity Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-119671. PoCs published by Vahagn Vardanyan.

AI-analyzed exploit summary This exploit demonstrates an XML External Entity (XXE) injection vulnerability in Citrix StoreFront Server. The PoC sends a maliciously crafted XML payload to the authentication endpoint, which can lead to information disclosure or server-side request forgery (SSRF).

Description

Citrix StoreFront Server 7.15 - XML External Entity Injection

Exploits (1)

exploitdb WORKING POC

by Vahagn Vardanyan · textwebappsxml

https://www.exploit-db.com/exploits/47561

View Code ZIP pw:eip

This exploit demonstrates an XML External Entity (XXE) injection vulnerability in Citrix StoreFront Server. The PoC sends a maliciously crafted XML payload to the authentication endpoint, which can lead to information disclosure or server-side request forgery (SSRF).

Classification

Working Poc 95%

Attack Type

Xxe

Complexity

Trivial

Reliability

Reliable

Target: Citrix StoreFront Server earlier than 1903, 7.15 LTSR earlier than CU4 (3.12.4000), 7.6 LTSR earlier than CU8 (3.0.8000)

No auth needed

Prerequisites: Network access to the Citrix StoreFront Server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026