Description
PhreeBooks ERP 5.2.3 contains an arbitrary file upload vulnerability in the Image Manager component that allows authenticated attackers to upload malicious files by submitting requests to the image upload endpoint. Attackers can upload PHP files through the imgFile parameter to the bizuno/image/manager endpoint and execute them via the bizunoFS.php script for remote code execution.
Published: 2026-03-24
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An authenticated user can upload arbitrary files through the image manager component of PhreeBooks ERP 5.2.3. The flaw allows malicious PHP scripts to be stored via the imgFile parameter and subsequently executed by the bizunoFS.php handler, enabling attackers to run arbitrary code on the server. This corresponds to CWE‑434 and directly compromises confidentiality, integrity, and availability of the affected system.

Affected Systems

Phreesoft PhreeBooks ERP version 5.2.3 is affected. The vulnerability resides in the image upload endpoint (bizuno/image/manager) of this product.

Risk and Exploitability

The CVSS base score of 8.7 indicates high severity, while the EPSS score below 1 % suggests low current exploitation activity. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires valid user credentials, so the attack vector is internal with authenticated users. Once triggered, the flaw can give an attacker full remote code execution capabilities on the host running the application.

Generated by OpenCVE AI on March 26, 2026 at 19:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Phreesoft’s website or support channels for a patch or updated version that fixes the arbitrary file upload flaw.
  • Upgrade PhreeBooks ERP to a version newer than 5.2.3 once a patch is available.
  • If an immediate upgrade is not possible, disable or restrict the bizuno/image/manager endpoint so that only allowed file types are accepted, and configure the server to reject PHP uploads.
  • Monitor the upload logs for suspicious activity and enforce strict file‑type validation and permission settings as an additional safeguard.

Generated by OpenCVE AI on March 26, 2026 at 19:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434
CPEs cpe:2.3:a:phreesoft:phreebookserp:5.2.3:*:*:*:*:*:*:*

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Phreesoft
Phreesoft phreebookserp
Vendors & Products Phreesoft
Phreesoft phreebookserp

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description PhreeBooks ERP 5.2.3 contains an arbitrary file upload vulnerability in the Image Manager component that allows authenticated attackers to upload malicious files by submitting requests to the image upload endpoint. Attackers can upload PHP files through the imgFile parameter to the bizuno/image/manager endpoint and execute them via the bizunoFS.php script for remote code execution.
Title PhreeBooks ERP 5.2.3 Arbitrary File Upload via Image Manager
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Phreesoft Phreebookserp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-26T16:15:53.724Z

Reserved: 2026-03-24T11:01:20.165Z

Link: CVE-2019-25630

cve-icon Vulnrichment

Updated: 2026-03-24T17:53:17.591Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T12:16:03.200

Modified: 2026-03-26T17:16:26.010

Link: CVE-2019-25630

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:21:11Z

Weaknesses