CVE-2026-4509 | THREATINT

Description

A security flaw has been discovered in PbootCMS up to 3.2.12. This affects an unknown function of the file core/function/file.php of the component File Upload. The manipulation of the argument black results in incomplete blacklist. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

PUBLISHED Reserved 2026-03-20 | Published 2026-03-21 | Updated 2026-03-24 | Assigner VulDB

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

Problem types

Incomplete Blacklist

Permissive List of Allowed Inputs

Timeline

2026-03-20:	Advisory disclosed
2026-03-20:	VulDB entry created
2026-03-20:	VulDB entry last update

Credits

zmjjkk (VulDB User) reporter

References

vuldb.com/?id.352075 (VDB-352075 | PbootCMS File Upload file.php incomplete blacklist) vdb-entry technical-description

vuldb.com/?ctiid.352075 (VDB-352075 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.773901 (Submit #773901 | 翱云科技 PbootCMS 3.2.12 Incomplete Identification of Uploaded File Variables) third-party-advisory

github.com/...ain/VULN-04_DANGEROUS_FILE_UPLOAD_REPORT_EN.md exploit

cve.org (CVE-2026-4509)

nvd.nist.gov (CVE-2026-4509)

Download JSON