EIP-2026-120690

PRE-CVE

solaredge - (CSRF-OOB-Injection)

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-120690. PoCs published by nu11secur1ty.

AI-analyzed exploit summary The exploit demonstrates a CSRF vulnerability in SolarEdge's `/solaredge-web/p/initClient` endpoint, allowing session parameter manipulation via crafted POST requests. It also leverages OOB injection via `X-Forwarded-For` and `Referer` headers to force external requests.

Description

solaredge - (CSRF-OOB-Injection)

Exploits (1)

exploitdb WORKING POC

by nu11secur1ty · textwebappsmultiple

https://www.exploit-db.com/exploits/52569

View Code ZIP pw:eip

The exploit demonstrates a CSRF vulnerability in SolarEdge's `/solaredge-web/p/initClient` endpoint, allowing session parameter manipulation via crafted POST requests. It also leverages OOB injection via `X-Forwarded-For` and `Referer` headers to force external requests.

Classification

Working Poc 95%

Attack Type

Csrf | Oob Injection

Complexity

Moderate

Reliability

Reliable

Target: SolarEdge Monitoring Platform - Framework /solaredge-web/

No auth needed

Prerequisites: Victim must visit attacker-controlled page · SolarEdge session cookies not protected by SameSite

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed May 22, 2026 Full analysis →

Details

Status pre_cve

Tracked Since May 22, 2026