CVE-2026-10172
Unrestricted File Upload in Bdtask Multi-Store Inventory Management System
Publication date: 2026-05-31
Last updated on: 2026-05-31
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bdtask | multi-store_inventory_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10172 is a Remote Code Execution (RCE) vulnerability in the Bdtask Multi-Store Inventory Management System version 1.0. The flaw exists in the module upload feature, where an authenticated admin can upload a malicious ZIP archive containing a PHP file.
The application extracts the archive into the application/modules/ directory and then includes an attacker-controlled PHP file (config/config.php) without proper validation. This leads to arbitrary PHP code execution on the server whenever the Add Module page is loaded.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious uploads of ZIP archives to the module upload feature by authenticated admin users. Specifically, look for uploads that result in the extraction of files into the application/modules/ directory, especially if they include PHP files such as config/config.php.
You can also check for unexpected PHP files in the application/modules/ directory or unusual HTTP requests to the Add Module page that might trigger the inclusion of attacker-controlled PHP files.
- Use web server logs to identify POST requests to the module upload endpoint.
- Run commands to find recently added or modified PHP files in the application/modules/ directory, for example: find /path/to/application/modules/ -name '*.php' -mtime -7
- Use grep to search for suspicious PHP code or webshell signatures in the modules directory: grep -r 'eval(' /path/to/application/modules/
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the module upload feature to only fully trusted administrators and monitoring or disabling the upload functionality if possible.
Validate and sanitize all uploaded files to prevent malicious archives from being extracted and executed.
Remove any suspicious or unauthorized PHP files found in the application/modules/ directory.
Apply any available patches or updates from the vendor as soon as they are released.
Monitor logs for unusual activity related to module uploads and the Add Module page.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can execute arbitrary operating system commands on the server, read or modify files, or establish a persistent backdoor.
This can lead to full compromise of the affected system, unauthorized access to sensitive data, and potential disruption of services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated admin to upload malicious code leading to remote code execution, which can result in unauthorized access, modification, or disclosure of sensitive data.
Such unauthorized access and potential data breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring system integrity.
Exploitation of this vulnerability could lead to violations of confidentiality, integrity, and availability requirements mandated by these standards.