Description
A weakness has been identified in EyouCMS up to 1.7.1/5.0. Impacted is the function check_userinfo of the file Diyajax.php of the component Member Avatar Handler. Executing a manipulation of the argument viewfile can lead to unrestricted upload. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-01-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted File Upload (Based on the description, it is inferred this may lead to remote code execution).
Action: Patch Immediately
AI Analysis

Impact

A vulnerability exists in the check_userinfo function within Diyajax.php of EyouCMS, where the viewfile parameter is not properly validated. This allows an attacker to upload arbitrary files without restriction, and based on the description, it is inferred that such files could be executable and lead to remote code execution. The flaw is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type).

Affected Systems

The affected product is EyouCMS, specifically versions 1.7.0, 1.7.1, and 5.0, as well as any earlier builds that incorporate the vulnerable check_userinfo implementation. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, while the EPSS value of less than 1% suggests a low likelihood of exploitation. Based on the description, it is inferred that the flaw can be exploited remotely without authentication. After a file is uploaded, it is inferred that the file could be executed, potentially giving attackers control over the application. Although the vulnerability is not yet listed in the CISA KEV catalog, publicly available proof‑of‑concept code means a rapid deployment of an exploit is possible if the issue remains unfixed. Monitoring for unusual upload activity and applying defensive measures is advised until a patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 15:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the vendor’s official patch or upgrade to a version of EyouCMS that contains the fix for the unrestricted upload flaw.
  • If an official fix is unavailable, configure the upload system to accept only image file types by validating MIME types and extensions, and store uploaded files outside the web root or protect the upload directory with server restrictions.
  • As a temporary workaround, block or restrict external access to the Diyajax.php check_userinfo endpoint through your web server configuration or a web application firewall, and monitor the application for suspicious upload activity.

Generated by OpenCVE AI on April 18, 2026 at 15:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 04:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:eyoucms:eyoucms:1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:eyoucms:eyoucms:1.7.1:*:*:*:*:*:*:*
cpe:2.3:a:eyoucms:eyoucms:5.0:*:*:*:*:*:*:*

Mon, 23 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:eyoucms:eyoucms:*:*:*:*:*:*:*:*

Tue, 20 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Eyoucms
Eyoucms eyoucms
Vendors & Products Eyoucms
Eyoucms eyoucms

Sun, 18 Jan 2026 00:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in EyouCMS up to 1.7.1/5.0. Impacted is the function check_userinfo of the file Diyajax.php of the component Member Avatar Handler. Executing a manipulation of the argument viewfile can lead to unrestricted upload. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title EyouCMS Member Avatar Diyajax.php check_userinfo unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Eyoucms Eyoucms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:35:22.852Z

Reserved: 2026-01-17T08:41:54.975Z

Link: CVE-2026-1107

cve-icon Vulnrichment

Updated: 2026-01-20T17:20:29.932Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-18T01:15:51.247

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-1107

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:00:04Z

Weaknesses