Description
SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts.
Published: 2026-05-30
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SIM-PKH 2.4.1 contains an arbitrary file upload flaw that lets any authenticated user upload files by sending PHP code in the fupload field. The uploaded PHP files are stored in the foto directory and are later interpreted by the web server, enabling an attacker to execute arbitrary code on the host. The flaw is a classic file‑upload vulnerability, classified as CWE‑434, and can lead directly to remote code execution and full compromise of the affected system.

Affected Systems

This issue affects the SIM-PKH application from Simpkh, specifically version 2.4.1. The vulnerability is triggered by accessing the aksi_pengurus.php endpoint with module=pengurus and act=update parameters while authenticated. No other versions or products were listed as impacted in the CNA data.

Risk and Exploitability

The CVSS base score of 8.7 indicates a high severity flaw. Because only authenticated users can trigger the upload, an attacker first needs valid credentials, which may be gained via phishing, credential reuse, or social engineering. Once authenticated, uploading a PHP file into the foto directory is trivial; the file is then executed by the web server. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that, while the flaw is serious, it has not yet been widely exploited. Nonetheless, the potential for full system compromise warrants immediate attention.

Generated by OpenCVE AI on May 30, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SIM-PKH to the latest release that removes the arbitrary file‑upload flaw.
  • If a patch cannot be applied right away, configure the web server or an .htaccess file to disable PHP execution in the foto directory and enforce strict MIME‑type checks so that only legitimate image files are accepted.
  • Limit upload functionality to administrators and protect login credentials with strong passwords and two-factor authentication to reduce the risk of credential compromise.

Generated by OpenCVE AI on May 30, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Simpkh
Simpkh sim-pkh
Vendors & Products Simpkh
Simpkh sim-pkh

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts.
Title SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Simpkh Sim-pkh
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-30T14:55:16.382Z

Reserved: 2026-05-30T12:26:46.782Z

Link: CVE-2018-25409

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-30T16:17:01.587

Modified: 2026-05-30T16:17:01.587

Link: CVE-2018-25409

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:17:47Z

Weaknesses