CVE-2026-6650
Received
Received - Intake
Unrestricted File Upload in Z-BlogPHP AppCentre Plugin
Vulnerability report for CVE-2026-6650, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-04-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
A vulnerability was identified in Z-BlogPHP 1.7.5. This affects the function App::UnPack of the file /zb_users/plugin/AppCentre/app_upload.php of the component ZBA File Handler. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| z-blogphp | z-blogphp | 1.7.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |