CVE Catalog

CVE-2026-56124

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Summary

phpUploader before version 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.

Risk Assessment

The risk for the organization is the leakage of sensitive data such as user IP addresses, password hashes, and file metadata, which could lead to privacy breaches and further attacks. The attacker does not require authentication, increasing the likelihood of exploitation.

Recommendation

It is recommended to immediately upgrade phpUploader to version 2.0.2 or later, which fixes this vulnerability. Additionally, restrict access to the application and review logs for potential exploitation attempts.

Original NVD description (English source)

phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS