CVE-2026-56124

HIGH NVD

CVSS Score 7.5

Severity HIGH

Published Jun 29, 2026

Vendor unknown

Description

phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.

References

https://github.com/shimosyan/phpUploader/commit/45dc4f1c9a2de5ade427deebad0148834c0e8c50
https://github.com/shimosyan/phpUploader/pull/294
https://github.com/shimosyan/phpUploader/releases/tag/v2.0.2
https://www.vulncheck.com/advisories/phpuploader-unauthenticated-database-exposure-via-index-model