CVE-2026-22789
Unknown Unknown - Not Provided
File Upload Validation Bypass in WebErpMesv2 Enables RCE

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: GitHub, Inc.

Description
WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote Code Execution (RCE). This vulnerability is identical in nature to CVE-2025-52130 but exists in different code locations that were not addressed by the original fix. This vulnerability is fixed in 1.19.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22789
EUVD
EUVD-2026-1998
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
smewebify weberpmesv2 to 1.19 (exc)
smewebify weberpmesv2 1.18
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-616 The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22789 is a file upload validation bypass vulnerability in the WebErpMesv2 application that allows authenticated users to upload arbitrary files, including malicious PHP scripts, by exploiting incorrect validation of the file upload fields. The application validates the 'image' field but actually processes the 'picture' field for uploads, which is not validated. This allows attackers to bypass restrictions and upload executable files, leading to Remote Code Execution (RCE) on the server. [1]

Impact Analysis

This vulnerability can lead to Remote Code Execution (RCE) by allowing authenticated users to upload and execute arbitrary PHP code on the server. This can result in full system compromise, including unauthorized database access and lateral movement within internal networks. Since uploaded files are stored in publicly accessible directories, attackers can directly access and execute malicious scripts via HTTP requests. [1]

Detection Guidance

This vulnerability can be detected by checking for unauthorized or suspicious file uploads, especially PHP files uploaded via the 'picture' field to the vulnerable endpoints. One way to detect exploitation attempts is to monitor HTTP POST requests to the endpoints '/quotes/{id}/edit-detail-lines/{id}/image' and '/orders/{id}/edit-detail-lines/{id}/image' with multipart form data containing a 'picture' parameter. You can use network monitoring tools or web server logs to identify such requests. A specific command example to test the vulnerability (proof of concept) is a curl command that uploads a PHP shell via the 'picture' field: curl -X POST "http://target/quotes/1/edit-detail-lines/1/image" -H "Cookie: laravel_session=<session_cookie>" -H "X-CSRF-TOKEN: <csrf_token>" -F "[email protected];type=image/jpeg" -F "id=1". Additionally, scanning the web-accessible upload directories (e.g., 'public_path/images/quote-lines' or 'public_path/images/order-lines') for unexpected PHP files can help detect exploitation. [1]

Mitigation Strategies

Immediate mitigation steps include: 1) Upgrade WebErpMesv2 to version 1.19 or later where the vulnerability is fixed. 2) Apply the patch that correctly validates the 'picture' upload field with strict rules requiring it to be an image of allowed MIME types (jpeg, png, jpg, gif, svg) and a maximum size of 10MB. 3) Ensure uploaded files are renamed to unique filenames to prevent overwriting and path traversal issues. 4) Store uploaded files outside the web root or restrict direct HTTP access to uploaded files to prevent execution of malicious scripts. 5) Review and monitor file upload endpoints for suspicious activity and unauthorized file types. These steps collectively prevent arbitrary file uploads and remote code execution. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22789. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart