Home

Description

phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.

PUBLISHED Reserved 2026-06-18 | Published 2026-06-29 | Updated 2026-07-14 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Exposure of Private Personal Information to an Unauthorized Actor

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Product status

Default status
affected

Any version before 2.0.2
affected

Credits

@rayyb0t (https://github.com/rayyb0t) finder

VulnCheck coordinator

References

github.com/shimosyan/phpUploader/releases/tag/v2.0.2 (Release Notes) release-notes

github.com/shimosyan/phpUploader/pull/294 (Pull Request) issue-tracking

github.com/...ommit/45dc4f1c9a2de5ade427deebad0148834c0e8c50 (Patch Commit) patch

www.vulncheck.com/...cated-database-exposure-via-index-model third-party-advisory

cve.org (CVE-2026-56124)

nvd.nist.gov (CVE-2026-56124)

Download JSON