Home

Description

SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts.

PUBLISHED Reserved 2026-05-30 | Published 2026-05-30 | Updated 2026-06-01 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Unrestricted Upload of File with Dangerous Type

Product status

2.4.1
affected

Credits

Ihsan Sencan finder

References

www.exploit-db.com/exploits/45659 (ExploitDB-45659) exploit

simpkh.sourceforge.io/ (Official Product Homepage) product

sourceforge.net/projects/simpkh/files/latest/download (Product Reference) product

www.vulncheck.com/...trary-file-upload-via-aksi-pengurus-php (VulnCheck Advisory: SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php) third-party-advisory

cve.org (CVE-2018-25409)

nvd.nist.gov (CVE-2018-25409)

Download JSON