Skip to main content

Phpuploader

3 CVEs product

Monthly

CVE-2026-56124 HIGH PATCH This Week

Unauthenticated information disclosure in phpUploader before 2.0.2 lets remote attackers harvest the entire uploaded-files database table simply by loading any page of the application. The index model runs an unbounded SELECT and serializes the full result set into an inline JSON script block, leaking uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints. No public exploit identified at time of analysis, but the data is exposed in plain HTML source on every page, making extraction trivial; CVSS 4.0 base is 8.7 (High).

Information Disclosure Phpuploader
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2022-24435 MEDIUM PATCH This Month

Cross-site scripting vulnerability in phpUploader v1.2 and earlier allows a remote unauthenticated attacker to inject an arbitrary script via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Phpuploader
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-23986 HIGH PATCH This Week

SQL injection vulnerability in the phpUploader v1.2 and earlier allows a remote unauthenticated attacker to obtain the information in the database via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi Phpuploader
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated information disclosure in phpUploader before 2.0.2 lets remote attackers harvest the entire uploaded-files database table simply by loading any page of the application. The index model runs an unbounded SELECT and serializes the full result set into an inline JSON script block, leaking uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints. No public exploit identified at time of analysis, but the data is exposed in plain HTML source on every page, making extraction trivial; CVSS 4.0 base is 8.7 (High).

Information Disclosure Phpuploader
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting vulnerability in phpUploader v1.2 and earlier allows a remote unauthenticated attacker to inject an arbitrary script via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Phpuploader
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

SQL injection vulnerability in the phpUploader v1.2 and earlier allows a remote unauthenticated attacker to obtain the information in the database via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi Phpuploader
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy