CVE-2026-8133 - Vulnerability Details

- zyx0814 FilePress Shares Filelist API admin.php sql injection

Description

A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file dzz/shares/admin.php of the component Shares Filelist API. Such manipulation of the argument order leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The name of the patch is e20ec58414103f781858f2951d178e19b1736664. A patch should be applied to remediate this issue.

Published: 2026-05-08

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw discovered in zyx0814 FilePress allows a remote attacker to manipulate the order of arguments in the Shares Filelist API admin.php, which in turn triggers SQL injection. This weakness is classified under CWE‑74 and CWE‑89 and permits execution of arbitrary SQL statements against the database, leading to potential leakage or alteration of sensitive data and disruption of application functionality.

Affected Systems

All releases of zyx0814 FilePress containing the Shares Filelist API up to version 2.2.0 are affected. No earlier or later versions are noted as vulnerable in the available data.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity. No EPSS score is available, so the current likelihood of exploitation remains uncertain, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, meaning that any client able to reach the API endpoint can potentially exploit the flaw without needing authentication. An exploit has been publicly disclosed, suggesting that exploitation is feasible if the patch is not applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

zyx0814

FilePress

affected

Version	Status	Constraints
`2.0`	affected	—
`2.1`	affected	—
`2.2.0`	affected	—

No data.

Vendor Product Confidence Versions

Zyx0814

Filepress

100%

Version	Status	Scheme	Platform
`2.0`	affected	generic	—
`2.1`	affected	generic	—
`2.2.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor patch identified by commit e20ec58414103f781858f2951d178e19b1736664 to update FilePress to version 2.2.0 or later.
Verify that the patched admin.php validates input parameters and blocks unsanitized SQL execution.
If immediate patching is not possible, block external traffic to the Shares Filelist API endpoint with firewall rules or temporarily disable the API until the patch is applied.

Generated by OpenCVE AI on May 8, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00048.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/xiaohaiyang-ai/Web-Security-Research/tree/main/FilePress/Shares-API-PreAuth-SQLi
https://github.com/zyx0814/FilePress/
https://github.com/zyx0814/FilePress/commit/e20ec58414103f781858f2951d178e19b1736664
https://github.com/zyx0814/FilePress/issues/70
https://github.com/zyx0814/FilePress/pull/71
https://vuldb.com/submit/808819
https://vuldb.com/vuln/361923
https://vuldb.com/vuln/361923/cti

History

Sun, 10 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zyx0814 Zyx0814 filepress
Vendors & Products		Zyx0814 Zyx0814 filepress

Fri, 08 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 08 May 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file dzz/shares/admin.php of the component Shares Filelist API. Such manipulation of the argument order leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The name of the patch is e20ec58414103f781858f2951d178e19b1736664. A patch should be applied to remediate this issue.
Title		zyx0814 FilePress Shares Filelist API admin.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/xiaohaiyang-ai/Web-Security-Research/tree/main/FilePress/Shares-API-PreAuth-SQLi https://github.com/zyx0814/FilePress/ https://github.com/zyx0814/FilePress/commit/e20ec58414103f781858f2951d178e19b1736664 https://github.com/zyx0814/FilePress/issues/70 https://github.com/zyx0814/FilePress/pull/71 https://vuldb.com/submit/808819 https://vuldb.com/vuln/361923 https://vuldb.com/vuln/361923/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Zyx0814 Filepress

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-08T03:30:13.832Z

Updated: 2026-05-08T14:07:28.131Z

Reserved: 2026-05-07T17:33:03.678Z

Link: CVE-2026-8133

Vulnrichment

Updated: 2026-05-08T14:07:24.715Z

NVD

Status : Deferred

Published: 2026-05-08T04:16:26.160

Modified: 2026-05-08T15:47:03.413

Link: CVE-2026-8133

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-10T21:26:09Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object