Description
A vulnerability was determined in KLiK SocialMediaWebsite 1.0. This vulnerability affects the function uniqid of the file upload.inc.php of the component File Handler. This manipulation causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-05-25
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the uniqid function used by the file upload component allows an attacker to upload arbitrary files without restriction. This weakness, identified as CWE‑434, permits the remote submission of potentially malicious files and, combined with the lack of proper access controls (CWE‑284), could enable malicious code placement or upload of harmful content. The vulnerability is exploitable from a remote location and has been publicly disclosed.

Affected Systems

The issue affects KLiK SocialMediaWebsite version 1.0 and earlier builds incorporating the file upload.inc.php handler from the File Handler component. Users who have not applied updates or removed the upload capability are potentially vulnerable.

Risk and Exploitability

With a CVSS score of 6.9, the vulnerability presents a medium severity risk. No EPSS score is available, and the vulnerability is not currently listed in CISA’s KEV catalog, suggesting it may not be widely exploited yet. However, the attack vector is remote and does not require authentication, indicating that any exposed upload endpoint could be abused. The combination of unrestricted file upload and inadequate access control elevates the risk of successful exploitation should an attacker discover the endpoint.

Generated by OpenCVE AI on May 25, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the official fix from KLiK SocialMediaWebsite or upgrade to a patched version.
  • If a patch is not available, disable the file upload feature or limit it to authorized users only.
  • Enforce strict file type validation and size limits on the upload endpoint, ensuring only allowed MIME types are accepted.
  • Store uploaded files outside the web root and remove execute permissions from the storage directory to prevent code execution.

Generated by OpenCVE AI on May 25, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in KLiK SocialMediaWebsite 1.0. This vulnerability affects the function uniqid of the file upload.inc.php of the component File Handler. This manipulation causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Title KLiK SocialMediaWebsite File upload.inc.php uniqid unrestricted upload
First Time appeared Klik Socialmediawebsite
Klik Socialmediawebsite klik Socialmediawebsite
Weaknesses CWE-284
CWE-434
CPEs cpe:2.3:a:klik_socialmediawebsite:klik_socialmediawebsite:*:*:*:*:*:*:*:*
Vendors & Products Klik Socialmediawebsite
Klik Socialmediawebsite klik Socialmediawebsite
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Klik Socialmediawebsite Klik Socialmediawebsite
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T03:15:09.867Z

Reserved: 2026-05-24T06:52:00.508Z

Link: CVE-2026-9421

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T04:30:16Z

Weaknesses