Skip to main content

PHP CVE-2026-6489

| EUVD-2026-23426 LOW
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-04-17 VulDB GHSA-x6mf-8rqw-rvhf
PHP File Upload
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Analysis Generated
Apr 17, 2026 - 13:27 vuln.today
CVSS changed
Apr 17, 2026 - 13:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
EUVD ID Assigned
Apr 17, 2026 - 13:15 euvd
EUVD-2026-23426
Analysis Generated
Apr 17, 2026 - 13:15 vuln.today
CVE Published
Apr 17, 2026 - 13:00 nvd
LOW 2.1

DescriptionCVE.org

A security flaw has been discovered in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This issue affects some unknown processing of the file admin/addteacher.php of the component Background Management Page. The manipulation of the argument image results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Unrestricted file upload vulnerability in QueryMine SMS admin panel allows authenticated remote attackers to upload arbitrary files via the image parameter in admin/addteacher.php, potentially enabling remote code execution. Affects all versions up to commit 7ab5a9ea196209611134525ffc18de25c57d9593. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain admin credentials
Delivery
Authenticate to admin panel
Exploit
Navigate to add teacher form
Execution
Upload PHP shell in image parameter
Persist
Access uploaded file URL
Impact
Execute arbitrary code on server
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires valid authenticated admin credentials to access the admin panel (PR:L privilege level confirmed by CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS v4.0 score of 5.3 with network vector (AV:N) and low complexity (AC:L) indicates moderate severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with valid admin credentials (obtained through credential compromise or insider threat) authenticates to the QueryMine SMS admin panel and navigates to the add teacher functionality. The attacker uploads a PHP web shell as the 'image' parameter, exploiting the lack of file type validation in admin/addteacher.php. …
Remediation No vendor-released patch identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2026-6489 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy