CVE-2026-1107 | THREATINT

Description

A weakness has been identified in EyouCMS up to 1.7.1/5.0. Impacted is the function check_userinfo of the file Diyajax.php of the component Member Avatar Handler. Executing a manipulation of the argument viewfile can lead to unrestricted upload. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

PUBLISHED Reserved 2026-01-17 | Published 2026-01-18 | Updated 2026-01-18 | Assigner VulDB

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

Problem types

Unrestricted Upload

Improper Access Controls

Timeline

2026-01-17:	Advisory disclosed
2026-01-17:	VulDB entry created
2026-01-17:	VulDB entry last update

Credits

nobb (VulDB User) reporter

References

vuldb.com/?id.341699 (VDB-341699 | EyouCMS Member Avatar Diyajax.php check_userinfo unrestricted upload) vdb-entry technical-description

vuldb.com/?ctiid.341699 (VDB-341699 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.731540 (Submit #731540 | Hainan Zanzan Network Technology Co. Eyoucms <=1.7.1 causing code execution due to file inclusion) third-party-advisory

github.com/...ausing code execution due to file inclusion.md related

github.com/...ausing code execution due to file inclusion.md exploit

cve.org (CVE-2026-1107)

nvd.nist.gov (CVE-2026-1107)

Download JSON