CVE-2026-2133
Unknown Unknown - Not Provided
Unrestricted File Upload in Online Music Site AdminUpdateCategory.php

Publication date: 2026-02-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in code-projects Online Music Site 1.0. Impacted is an unknown function of the file /Administrator/PHP/AdminUpdateCategory.php. This manipulation of the argument txtimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2133
EUVD
EUVD-2026-5815
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fabian online_music_site 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2133 is an arbitrary file upload vulnerability in the Online Music Site version 1.0, specifically in the AdminUpdateCategory.php file. The vulnerability occurs because the application does not properly validate uploaded files, allowing attackers to manipulate the "txtimage" argument and bypass file type detection by forging HTTP headers such as "Content-Type" and "Content-Disposition."'}, {'type': 'paragraph', 'content': 'This flaw enables attackers to upload malicious files disguised as images (e.g., PHP scripts with image extensions) without any authentication. Once uploaded, these malicious files can be executed remotely, granting attackers control over the server, the ability to steal sensitive data, or to launch further attacks.'}, {'type': 'paragraph', 'content': 'A proof-of-concept demonstrates uploading a PHP webshell disguised as an image file, which after upload is renamed and accessed to execute commands remotely.'}] [1, 2, 3]

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote control of the affected server by attackers. They can upload and execute malicious scripts, which may lead to data theft, system compromise, and further attacks on the network.

Because the exploit requires no authentication and can be performed remotely, it is highly accessible to attackers, increasing the risk of exploitation.

The vulnerability affects the confidentiality, integrity, and availability of the system, potentially leading to loss or exposure of sensitive information and disruption of services.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of the vulnerable file /Administrator/PHP/AdminUpdateCategory.php on your system and monitoring for suspicious file uploads that bypass file type validation.'}, {'type': 'paragraph', 'content': 'One detection method is to look for uploaded files with suspicious extensions or names, especially files that appear to be images but contain executable code (e.g., PHP code hidden in files with .png or .gif extensions).'}, {'type': 'paragraph', 'content': 'Network detection can include monitoring HTTP requests to the vulnerable upload endpoint for unusual Content-Type or Content-Disposition headers that attempt to disguise malicious files.'}, {'type': 'list_item', 'content': 'Use web server logs to search for POST requests to /Administrator/PHP/AdminUpdateCategory.php with suspicious file upload parameters.'}, {'type': 'list_item', 'content': 'Search for files in the upload directory (e.g., /Administrator/PHP/upload_images/category/) with extensions like .php or files renamed from image extensions to .php.'}, {'type': 'list_item', 'content': "Example command to find suspicious files on the server: `find /path/to/upload_images/category/ -type f \\( -name '*.php' -o -name '*.php.png' \\)`"}, {'type': 'list_item', 'content': "Example command to check web server logs for suspicious uploads: `grep 'AdminUpdateCategory.php' /var/log/apache2/access.log | grep POST`"}] [1, 3]

Mitigation Strategies

Immediate mitigation steps include implementing strict validation of uploaded files beyond relying on HTTP headers.

  • Verify the actual file content by checking file headers or magic numbers to confirm the file type.
  • Implement a whitelist of allowed file extensions such as jpg, png, and pdf, and reject all others, especially script extensions like .php or disguised variants like .php.png.
  • Sanitize file names to exclude special characters and script suffixes.
  • Store uploaded files outside the web root or restrict direct access by serving files through backend processes.
  • Rename uploaded files using randomized strings with fixed safe extensions to prevent attackers from guessing file paths.

If possible, replace the affected component with an alternative product or update to a version that addresses this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2133. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart