Description
phpTransformer 2016.9 contains a directory traversal vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the path parameter. Attackers can send requests to the jQueryFileUploadmaster server endpoint with traversal sequences ../../../../../../ to list and retrieve files outside the intended directory.
Published: 2026-03-21
Score: 8.7 High
EPSS: 2.0% Low
KEV: No
Impact: Information Disclosure via Arbitrary File Read
Action: Patch Immediately
AI Analysis

Impact

phpTransformer 2016.9 contains a directory traversal flaw in the jQueryFileUpload master endpoint. An unauthenticated attacker can manipulate the path parameter with traversal sequences such as ../../../../../../ to list and download files located outside the intended upload directory. This allows reading of any file that the web server process can access, thereby compromising confidentiality and potentially enabling further exploitation. The weakness is classified as CWE‑22 and the CVSS score of 8.7 indicates high severity.

Affected Systems

The affected product is phpTransformer version 2016.9 from codnloc, as identified by the provided CPE string. No other versions are noted as vulnerable. Applying an upgrade to a release that removes this flaw mitigates the risk.

Risk and Exploitability

The EPSS score of 2 % suggests a relatively low probability of opportunistic exploitation at present, and the flaw is not listed in CISA KEV. Nevertheless, the vulnerability can be exploited trivially over HTTP without authentication, so any instance of the vulnerable endpoint that is reachable from an attacker can be used to read arbitrary files. The high CVSS rating and the existence of publicly available exploit code indicate that active exploitation could occur if the endpoint is exposed externally. Organizations should assess the exposure of the jQueryFileUpload master endpoint before prioritizing remediation.

Generated by OpenCVE AI on April 22, 2026 at 03:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched release of phpTransformer (for example 2017.0 or later) that removes the directory traversal flaw.
  • If upgrading is not immediately feasible, restrict access to the jQueryFileUpload master endpoint by firewall rules or web server configuration so that only trusted internal IP addresses can reach it, or disable the endpoint entirely.
  • Enforce strict directory permissions in the web server and PHP configuration so that the application cannot access files outside the intended upload directory.
  • Implement log monitoring for repeated traversal attempts and block offending IP addresses to reduce exposure.

Generated by OpenCVE AI on April 22, 2026 at 03:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Codnloc
Codnloc phptransformer
CPEs cpe:2.3:a:codnloc:phptransformer:2016.9:*:*:*:*:*:*:*
Vendors & Products Codnloc
Codnloc phptransformer

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Phptransformer
Phptransformer phptransformer
Vendors & Products Phptransformer
Phptransformer phptransformer

Sat, 21 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description phpTransformer 2016.9 contains a directory traversal vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the path parameter. Attackers can send requests to the jQueryFileUploadmaster server endpoint with traversal sequences ../../../../../../ to list and retrieve files outside the intended directory.
Title phpTransformer 2016.9 Directory Traversal via jQueryFileUpload
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Codnloc Phptransformer
Phptransformer Phptransformer
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-24T14:23:10.480Z

Reserved: 2026-03-21T15:25:46.856Z

Link: CVE-2019-25579

cve-icon Vulnrichment

Updated: 2026-03-24T14:22:15.438Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-21T16:16:01.923

Modified: 2026-03-23T17:04:46.443

Link: CVE-2019-25579

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:45:06Z

Weaknesses