Description
A security flaw has been discovered in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This issue affects some unknown processing of the file admin/addteacher.php of the component Background Management Page. The manipulation of the argument image results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted File Upload (Potential Remote Code Execution)
Action: Apply Patch
AI Analysis

Impact

QueryMine SMS contains an unrestricted file upload flaw in admin/addteacher.php due to insufficient validation of the image argument. This flaw corresponds to CWE‑284 and CWE‑434 and enables an attacker to upload arbitrary files that may be executed or used for further compromise. The description indicates that the attack can be launched remotely; based on the description, it is inferred that the attacker would manipulate the image argument in a crafted POST request to the upload endpoint. The exploit can lead to remote code execution, data leakage, or defacement if the uploaded file is executed by the server.

Affected Systems

All deployments of QueryMine SMS based on or prior to the commit 7ab5a9ea196209611134525ffc18de25c57d9593 are potentially affected. The product does not use versioning, so no specific release numbers can be cited; any instance that includes the Background Management Page (admin/addteacher.php) is at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS score is available, but public exploit releases and the vendor’s lack of response increase the risk. The vulnerability is not listed in CISA’s KEV catalog. Because the flaw allows remote upload of arbitrary files, it is a high‑impact attack surface that can be abused even if the attacker does not achieve immediate code execution; the upload can facilitate social engineering or serve as a foothold for later stages of compromise.

Generated by OpenCVE AI on April 18, 2026 at 17:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or update to QueryMine SMS when a vendor fix becomes available to address the upload validation issue in admin/addteacher.php.
  • Configure the web server or application to allow the addteacher.php endpoint to be accessed only by authenticated administrators, thereby enforcing proper access control.
  • Add server‑side validation that checks MIME types, file signatures, and size limits, rejecting any non‑image files uploaded through the endpoint.
  • If a patch or strict controls cannot be implemented immediately, temporarily disable the addteacher.php endpoint or restrict it to a closed testing network.

Generated by OpenCVE AI on April 18, 2026 at 17:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Querymine
Querymine sms
Vendors & Products Querymine
Querymine sms

Fri, 17 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This issue affects some unknown processing of the file admin/addteacher.php of the component Background Management Page. The manipulation of the argument image results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Title QueryMine sms Background Management addteacher.php unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Querymine Sms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-17T16:36:28.077Z

Reserved: 2026-04-17T07:14:09.721Z

Link: CVE-2026-6489

cve-icon Vulnrichment

Updated: 2026-04-17T16:36:22.808Z

cve-icon NVD

Status : Deferred

Published: 2026-04-17T13:16:14.787

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6489

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:15:05Z

Weaknesses