Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network read with no user interaction (AV:N/AC:L/PR:N/UI:N) leaking secrets gives C:H; no data modification or service disruption so I:N/A:N and scope unchanged.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.
AnalysisAI
Unauthenticated information disclosure in phpUploader before 2.0.2 lets remote attackers harvest the entire uploaded-files database table simply by loading any page of the application. The index model runs an unbounded SELECT and serializes the full result set into an inline JSON script block, leaking uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of phpUploader before 2.0.2; the sensitive data is embedded in the inline script of every rendered page, so merely reaching any page over the network is sufficient (AV:N/AC:L/AT:N/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N) describes a network-reachable, low-complexity, unauthenticated read with high confidentiality impact and no integrity or availability impact - internally consistent with the description of passive data exposure on any page load. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers an internet-facing phpUploader instance and requests its index (or any) page over HTTP. They view the raw HTML source, locate the inline script block containing the JSON-encoded uploaded-files table, and read out every uploader's IP address, Argon2ID key hash, internal filename, and SHA-256 fingerprint without logging in. … |
| Remediation | Vendor-released patch: upgrade to phpUploader v2.0.2 or later (https://github.com/shimosyan/phpUploader/releases/tag/v2.0.2), which is the definitive fix per PR #294 and commit 45dc4f1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all systems running phpUploader and identify versions prior to 2.0.2. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Phpuploader
View allSQL injection vulnerability in the phpUploader v1.2 and earlier allows a remote unauthenticated attacker to obtain the i
Cross-site scripting vulnerability in phpUploader v1.2 and earlier allows a remote unauthenticated attacker to inject an
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40114
GHSA-wghr-7f2j-9x3f