phpUploader < 2.0.2 Unauthenticated Database Exposure via index model

Advisories

severity: high
date: 6/29/2026
Affecting: phpUploader < 2.0.2
CVE: CVE-2026-56124
CWE: CWE-359 Exposure of Private Personal Information to an Unauthorized Actor
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References: Release Notes
Pull Request
Patch Commit
Credit: @rayyb0t (https://github.com/rayyb0t)
Description: phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo