Skip to main content

phpUploader CVE-2026-56124

| EUVDEUVD-2026-40114 HIGH
Exposure of Private Personal Information to an Unauthorized Actor (CWE-359)
2026-06-29 VulnCheck GHSA-wghr-7f2j-9x3f
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Unauthenticated network read with no user interaction (AV:N/AC:L/PR:N/UI:N) leaking secrets gives C:H; no data modification or service disruption so I:N/A:N and scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 15:18 vuln.today

DescriptionCVE.org

phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.

AnalysisAI

Unauthenticated information disclosure in phpUploader before 2.0.2 lets remote attackers harvest the entire uploaded-files database table simply by loading any page of the application. The index model runs an unbounded SELECT and serializes the full result set into an inline JSON script block, leaking uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach phpUploader over network
Delivery
Request any application page
Exploit
Server embeds full table as inline JSON
Execution
Read source for IPs, Argon2ID hashes, filenames, hashes
Impact
Harvest exposed records

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of phpUploader before 2.0.2; the sensitive data is embedded in the inline script of every rendered page, so merely reaching any page over the network is sufficient (AV:N/AC:L/AT:N/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N) describes a network-reachable, low-complexity, unauthenticated read with high confidentiality impact and no integrity or availability impact - internally consistent with the description of passive data exposure on any page load. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers an internet-facing phpUploader instance and requests its index (or any) page over HTTP. They view the raw HTML source, locate the inline script block containing the JSON-encoded uploaded-files table, and read out every uploader's IP address, Argon2ID key hash, internal filename, and SHA-256 fingerprint without logging in. …
Remediation Vendor-released patch: upgrade to phpUploader v2.0.2 or later (https://github.com/shimosyan/phpUploader/releases/tag/v2.0.2), which is the definitive fix per PR #294 and commit 45dc4f1. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all systems running phpUploader and identify versions prior to 2.0.2. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56124 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy