CVE-2026-56124
HighCVSS 7.5Summary
phpUploader before version 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.
Risk Assessment
The risk for the organization is the leakage of sensitive data such as user IP addresses, password hashes, and file metadata, which could lead to privacy breaches and further attacks. The attacker does not require authentication, increasing the likelihood of exploitation.
Recommendation
It is recommended to immediately upgrade phpUploader to version 2.0.2 or later, which fixes this vulnerability. Additionally, restrict access to the application and review logs for potential exploitation attempts.
Original NVD description (English source)
phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.

