CVE-2026-22789
File Upload Validation Bypass in WebErpMesv2 Enables RCE
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| smewebify | weberpmesv2 | to 1.19 (exc) |
| smewebify | weberpmesv2 | 1.18 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-616 | The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22789 is a file upload validation bypass vulnerability in the WebErpMesv2 application that allows authenticated users to upload arbitrary files, including malicious PHP scripts, by exploiting incorrect validation of the file upload fields. The application validates the 'image' field but actually processes the 'picture' field for uploads, which is not validated. This allows attackers to bypass restrictions and upload executable files, leading to Remote Code Execution (RCE) on the server. [1]
How can this vulnerability impact me? :
This vulnerability can lead to Remote Code Execution (RCE) by allowing authenticated users to upload and execute arbitrary PHP code on the server. This can result in full system compromise, including unauthorized database access and lateral movement within internal networks. Since uploaded files are stored in publicly accessible directories, attackers can directly access and execute malicious scripts via HTTP requests. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthorized or suspicious file uploads, especially PHP files uploaded via the 'picture' field to the vulnerable endpoints. One way to detect exploitation attempts is to monitor HTTP POST requests to the endpoints '/quotes/{id}/edit-detail-lines/{id}/image' and '/orders/{id}/edit-detail-lines/{id}/image' with multipart form data containing a 'picture' parameter. You can use network monitoring tools or web server logs to identify such requests. A specific command example to test the vulnerability (proof of concept) is a curl command that uploads a PHP shell via the 'picture' field: curl -X POST "http://target/quotes/1/edit-detail-lines/1/image" -H "Cookie: laravel_session=<session_cookie>" -H "X-CSRF-TOKEN: <csrf_token>" -F "[email protected];type=image/jpeg" -F "id=1". Additionally, scanning the web-accessible upload directories (e.g., 'public_path/images/quote-lines' or 'public_path/images/order-lines') for unexpected PHP files can help detect exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Upgrade WebErpMesv2 to version 1.19 or later where the vulnerability is fixed. 2) Apply the patch that correctly validates the 'picture' upload field with strict rules requiring it to be an image of allowed MIME types (jpeg, png, jpg, gif, svg) and a maximum size of 10MB. 3) Ensure uploaded files are renamed to unique filenames to prevent overwriting and path traversal issues. 4) Store uploaded files outside the web root or restrict direct HTTP access to uploaded files to prevent execution of malicious scripts. 5) Review and monitor file upload endpoints for suspicious activity and unauthorized file types. These steps collectively prevent arbitrary file uploads and remote code execution. [1, 2]