Description
phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.
Published: 2026-06-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

phpUploader before version 2.0.2 does not require authentication to view any page of the application, and the index model performs an unbounded SELECT query that embeds the entire uploaded‑files database table as JSON in an inline script block. The disclosed data includes uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA‑256 fingerprints, exposing sensitive information and key material (CWE‑359 and CWE‑497).

Affected Systems

The vulnerability affects all installations of shimosyan:phpUploader running a version older than 2.0.2, as released prior to the 2.0.2 security fix.

Risk and Exploitability

The CVSS score of 8.7 indicates a high likelihood of serious confidentiality loss. Because the EPSS score is not available, the exact exploitation probability cannot be quantified, and the vulnerability is not yet listed in the CISA KEV catalog, but the web‑based, unauthenticated nature of the flaw means a remote attacker can easily trigger the exposure by simply requesting any page of the application.

Generated by OpenCVE AI on June 29, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpUploader to version 2.0.2 or later to eliminate the unauthenticated database exposure.
  • Restrict direct access to the application’s index pages at the web‑server or firewall level until the upgrade is applied.
  • Re‑evaluate the database access permissions and ensure that key material is stored and handled securely, following best practices for Argon2ID and hashing.

Generated by OpenCVE AI on June 29, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.
Title phpUploader < 2.0.2 Unauthenticated Database Exposure via index model
Weaknesses CWE-359
CWE-497
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T15:11:47.313Z

Reserved: 2026-06-18T19:15:10.651Z

Link: CVE-2026-56124

cve-icon Vulnrichment

Updated: 2026-06-29T15:11:43.328Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T16:30:17Z

Weaknesses
  • CWE-359

    Exposure of Private Personal Information to an Unauthorized Actor

  • CWE-497

    Exposure of Sensitive System Information to an Unauthorized Control Sphere