Home

Description

TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded system commands to execute arbitrary code on the server by accessing the uploaded file's URL.

PUBLISHED Reserved 2025-12-16 | Published 2025-12-17 | Updated 2025-12-18 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Unrestricted Upload of File with Dangerous Type

Product status

2.5
affected

Credits

Mirabbas Ağalarov finder

References

www.exploit-db.com/exploits/51443 exploit

www.exploit-db.com/exploits/51443 (ExploitDB-51443) exploit

www.tinywebgallery.com/ (Official Product Webpage) product

www.vulncheck.com/...-execution-via-unrestricted-file-upload (VulnCheck Advisory: TinyWebGallery v2.5 Remote Code Execution via Unrestricted File Upload) third-party-advisory

cve.org (CVE-2023-53922)

nvd.nist.gov (CVE-2023-53922)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.