Description
Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted multipart form data. Attackers can upload PHP files with arbitrary content to the upload directory and execute them on the server for remote code execution.
Published: 2026-05-30
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Delta Sql 1.8.2 includes an arbitrary file upload flaw that permits unauthenticated attackers to upload malicious files via POST requests to docs_upload.php. The vulnerability arises from inadequate authentication controls (CWE‑306) and enables attackers to place PHP files in the upload directory, which the web server then interprets and executes as code. This provides full remote code execution capabilities on the affected server.

Affected Systems

The flaw affects the Delta Sql database management system, specifically version 1.8.2 of the Delta Sql product. No other versions or variants are listed in the CNA data.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. Since the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, the exact exploitation probability is uncertain, but the flaw permits direct unauthenticated access via the web interface, making it a high‑risk vector for attackers attempting to gain server control.

Generated by OpenCVE AI on May 30, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest patched version of Delta Sql, if one exists; the current 1.8.2 release is known to contain the flaw.
  • Configure the application to require authentication before allowing any file uploads, ensuring that only authorized users can submit files.
  • Restrict the file types that may be uploaded by implementing an upload whitelist that excludes PHP and other executable extensions; alternatively, store uploaded files in a non‑executable directory and block script execution via web server configuration.

Generated by OpenCVE AI on May 30, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted multipart form data. Attackers can upload PHP files with arbitrary content to the upload directory and execute them on the server for remote code execution.
Title Delta Sql 1.8.2 Arbitrary File Upload via docs_upload.php
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-30T14:55:18.571Z

Reserved: 2026-05-30T12:32:05.035Z

Link: CVE-2018-25412

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-30T16:17:01.990

Modified: 2026-05-30T16:17:01.990

Link: CVE-2018-25412

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T16:30:27Z

Weaknesses