Description
A vulnerability was detected in EyouCMS up to 1.7.1. This issue affects the function edit_adminlogo of the file application/admin/controller/Index.php. Performing a manipulation of the argument filename results in unrestricted upload. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-19
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Unrestricted File Upload
Action: Update Software
AI Analysis

Impact

The edit_adminlogo function in EyouCMS’s Index controller accepts a filename argument without validation, allowing an attacker to upload any file type to the server. This flaw can be exploited remotely and may lead to the execution of malicious code or disclosure of sensitive information if uploaded files are placed in writable directories.

Affected Systems

EyouCMS installations running version 1.7.1 or earlier are vulnerable. The issue is located in the file application/admin/controller/Index.php and affects the admin logo upload feature.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the EPSS score is not available, suggesting an unknown exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but the public exploit is already available. An attacker can remotely submit a crafted request to the edit_adminlogo endpoint and upload arbitrary files.

Generated by OpenCVE AI on April 19, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest EyouCMS patch or upgrade to a version that includes the fix for edit_adminlogo.
  • Configure the application to validate MIME types and restrict file extensions for admin logo uploads.
  • Configure the web server or use a web‑application firewall to prevent execution of files in the upload directory.
  • Monitor upload directories and access logs for anomalous activity to detect potential exploitation attempts.

Generated by OpenCVE AI on April 19, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 19 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in EyouCMS up to 1.7.1. This issue affects the function edit_adminlogo of the file application/admin/controller/Index.php. Performing a manipulation of the argument filename results in unrestricted upload. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title EyouCMS Index.php edit_adminlogo unrestricted upload
First Time appeared Eyoucms
Eyoucms eyoucms
Weaknesses CWE-284
CWE-434
CPEs cpe:2.3:a:eyoucms:eyoucms:*:*:*:*:*:*:*:*
Vendors & Products Eyoucms
Eyoucms eyoucms
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Eyoucms Eyoucms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-19T07:15:11.267Z

Reserved: 2026-04-18T15:58:33.191Z

Link: CVE-2026-6561

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-19T08:16:26.113

Modified: 2026-04-19T08:16:26.113

Link: CVE-2026-6561

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-19T09:30:22Z

Weaknesses