CVE-2026-4509
Received Received - Intake
Incomplete Blacklist Bypass in PbootCMS File Upload Module

Publication date: 2026-03-21

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in PbootCMS up to 3.2.12. This affects an unknown function of the file core/function/file.php of the component File Upload. The manipulation of the argument black results in incomplete blacklist. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4509
EUVD
EUVD-2026-14239
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pbootcms pbootcms to 3.2.12 (inc)
zzj-create pbootcms to 3.2.12 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
CWE-183 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4509 is a security flaw in PbootCMS version 3.2.12 related to the file upload functionality. The vulnerability arises from an incomplete blacklist used to validate uploaded files, which fails to block several dangerous file extensions such as .pht, .phar, .php7, .cgi, .htaccess, and .user.ini.

Because these extensions can be interpreted as executable or configuration files by certain server environments, an authenticated attacker with upload permissions can upload malicious files that may execute arbitrary code or alter server behavior.

The blacklist approach is brittle and does not cover all executable extensions or server-specific parsing behaviors, allowing attackers to bypass restrictions and exploit the system remotely.

Impact Analysis

This vulnerability can lead to remote code execution by allowing attackers to upload malicious files with dangerous extensions that the system fails to block.

Attackers can upload unauthorized files into web-accessible directories, potentially gaining control over the server or manipulating its runtime behavior.

Specifically, attackers might upload files like .htaccess or .user.ini to change server configuration, which can further compromise security.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to upload files with dangerous extensions that are not properly blocked by the blacklist in PbootCMS up to version 3.2.12. Specifically, files with extensions such as .pht, .phar, .php7, .cgi, .htaccess, and .user.ini can be tested.'}, {'type': 'paragraph', 'content': 'A proof-of-concept Python script exists that automates testing by uploading files with these bypass extensions containing PHP code that outputs a test string. The script sends POST requests to the upload endpoint /member/upload and checks the server response to confirm if the upload and execution are possible.'}, {'type': 'paragraph', 'content': "To manually test, you can use curl commands to upload files with these extensions to the /member/upload endpoint and observe the server's response. For example:"}, {'type': 'list_item', 'content': 'curl -F "[email protected]" https://targetsite.com/member/upload'}, {'type': 'list_item', 'content': 'curl -F "[email protected]" https://targetsite.com/member/upload'}, {'type': 'list_item', 'content': 'curl -F "[email protected]" https://targetsite.com/member/upload'}, {'type': 'list_item', 'content': 'curl -F "[email protected]" https://targetsite.com/member/upload'}, {'type': 'list_item', 'content': 'curl -F "[email protected]" https://targetsite.com/member/upload'}, {'type': 'paragraph', 'content': 'If the server accepts these uploads and executes or processes them, the vulnerability is present.'}] [1]

Mitigation Strategies

Immediate mitigation steps include replacing the current blacklist approach with a strict allowlist of permitted file types for upload.

Additionally, uploaded files should be stored outside the web root directory to prevent direct web access and execution.

It is also recommended to disable script execution in the upload directories to prevent execution of any uploaded malicious files.

These steps reduce the risk of remote code execution and unauthorized manipulation of server behavior through dangerous file uploads.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4509. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart