Description
A vulnerability was identified in Z-BlogPHP 1.7.5. This affects the function App::UnPack of the file /zb_users/plugin/AppCentre/app_upload.php of the component ZBA File Handler. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted file upload potentially enabling remote code execution
Action: Apply Patch
AI Analysis

Impact

The flaw exists in the App::UnPack function of Z-BlogPHP 1.7.5, specifically within the ZBA File Handler plugin's app_upload.php. It permits a remote attacker to upload files of any type without restriction, which can lead to the placement of malicious code on the web server and compromise data confidentiality, integrity, and availability if such files can be executed.

Affected Systems

All installations of Z-BlogPHP 1.7.5 that include the ZBA File Handler plugin are vulnerable. The weakness is located in the app_upload.php script accessed over the web.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the exploit is publicly available, implying a realistic threat. Although the EPSS score is not provided, the vulnerability can be triggered remotely by sending a crafted upload request, and it is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 20, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the vendor’s patched version of Z-BlogPHP 1.7.5 as soon as it becomes available.
  • Reconfigure the web server or application to reject all non-whitelisted file types and to place uploaded files in a directory that does not allow script execution.
  • Implement server‑side input validation that enforces a strict whitelist of allowable MIME types and extensions before accepting any upload.
  • If a patch is not yet available, monitor upload activity closely and audit file contents for suspicious scripts or binaries.

Generated by OpenCVE AI on April 20, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Zblogcn
Zblogcn z-blogphp
Vendors & Products Zblogcn
Zblogcn z-blogphp

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Z-BlogPHP 1.7.5. This affects the function App::UnPack of the file /zb_users/plugin/AppCentre/app_upload.php of the component ZBA File Handler. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Z-BlogPHP ZBA File app_upload.php UnPack unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Zblogcn Z-blogphp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T16:23:25.105Z

Reserved: 2026-04-20T05:43:12.359Z

Link: CVE-2026-6650

cve-icon Vulnrichment

Updated: 2026-04-20T16:23:20.805Z

cve-icon NVD

Status : Received

Published: 2026-04-20T16:16:55.617

Modified: 2026-04-20T16:16:55.617

Link: CVE-2026-6650

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:48:00Z

Weaknesses