Skip to main content

PHP CVE-2026-5624

| EUVDEUVD-2026-19176 LOW
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-06 VulDB GHSA-8x9f-c335-83wq
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
EUVD ID Assigned
Apr 06, 2026 - 05:45 euvd
EUVD-2026-19176
Analysis Generated
Apr 06, 2026 - 05:45 vuln.today
Patch released
Apr 06, 2026 - 05:45 nvd
Patch available
CVE Published
Apr 06, 2026 - 05:00 nvd
MEDIUM 5.3

DescriptionCVE.org

A security flaw has been discovered in ProjectSend r2002. This vulnerability affects unknown code of the file upload.php. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version r2029 is able to resolve this issue. The patch is named 2c0d25824ab571b6c219ac1a188ad9350149661b. You should upgrade the affected component.

AnalysisAI

Cross-site request forgery (CSRF) in ProjectSend r2002 allows unauthenticated remote attackers to perform unauthorized file upload operations via the upload.php endpoint with user interaction (UI:R). The vulnerability has been publicly disclosed with exploit code available, and ProjectSend has released patched version r2029 with commit 2c0d25824ab571b6c219ac1a188ad9350149661b to remediate the issue. While the CVSS score of 4.3 indicates low-to-moderate severity, the presence of public exploit code and lack of authentication requirements elevates the real-world risk for unpatched instances.

Technical ContextAI

ProjectSend is a PHP-based open-source file sharing application. The vulnerability resides in the upload.php file and is rooted in a Cross-Site Request Forgery (CWE-352) weakness, a class of vulnerability where an attacker can trick authenticated users into unwittingly submitting requests to perform actions on the target application. The attack mechanism exploits insufficient CSRF token validation or absence of proper anti-CSRF protections in the file upload handling logic. The CVSS vector indicates the attack requires user interaction (UI:R) and network accessibility (AV:N) with low attack complexity (AC:L), meaning a user must be socially engineered or tricked into visiting a malicious page while logged into ProjectSend. The PR:N rating confirms no authentication credentials are needed from the attacker themselves; the attacker leverages the victim's authenticated session.

RemediationAI

ProjectSend users should upgrade immediately to version r2029 or later, which includes the security fix via commit 2c0d25824ab571b6c219ac1a188ad9350149661b. The patched release is available at https://github.com/projectsend/projectsend/releases/tag/r2029. For organizations unable to upgrade immediately, implement network-level protections such as WAF (Web Application Firewall) rules to detect and block suspicious file upload requests to upload.php, enforce SameSite cookie attributes in application configuration if supported, and educate users against clicking untrusted links while authenticated to ProjectSend. Verify successful patching by confirming the commit hash 2c0d25824ab571b6c219ac1a188ad9350149661b is present in the running deployment. Additional hardening information is available via the VulDB references at https://vuldb.com/vuln/355414.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-5624 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy