CVE-2026-10172
Deferred Deferred - Pending Action
Unrestricted File Upload in Bdtask Multi-Store Inventory Management System

Publication date: 2026-05-31

Last updated on: 2026-05-31

Assigner: VulDB

Description
A security flaw has been discovered in Bdtask Multi-Store Inventory Management System 1.0. The affected element is the function Upload of the file application/modules/dashboard/controllers/Module.php of the component Component Module. The manipulation of the argument module results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-31
Last Modified
2026-05-31
Generated
2026-06-20
AI Q&A
2026-05-31
EPSS Evaluated
2026-06-19
NVD
CVE-2026-10172
EUVD
EUVD-2026-33492
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bdtask multi-store_inventory_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10172 is a Remote Code Execution (RCE) vulnerability in the Bdtask Multi-Store Inventory Management System version 1.0. The flaw exists in the module upload feature, where an authenticated admin can upload a malicious ZIP archive containing a PHP file.

The application extracts the archive into the application/modules/ directory and then includes an attacker-controlled PHP file (config/config.php) without proper validation. This leads to arbitrary PHP code execution on the server whenever the Add Module page is loaded.

Impact Analysis

An attacker exploiting this vulnerability can execute arbitrary operating system commands on the server, read or modify files, or establish a persistent backdoor.

This can lead to full compromise of the affected system, unauthorized access to sensitive data, and potential disruption of services.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious uploads of ZIP archives to the module upload feature by authenticated admin users. Specifically, look for uploads that result in the extraction of files into the application/modules/ directory, especially if they include PHP files such as config/config.php.

You can also check for unexpected PHP files in the application/modules/ directory or unusual HTTP requests to the Add Module page that might trigger the inclusion of attacker-controlled PHP files.

  • Use web server logs to identify POST requests to the module upload endpoint.
  • Run commands to find recently added or modified PHP files in the application/modules/ directory, for example: find /path/to/application/modules/ -name '*.php' -mtime -7
  • Use grep to search for suspicious PHP code or webshell signatures in the modules directory: grep -r 'eval(' /path/to/application/modules/
Mitigation Strategies

Immediate mitigation steps include restricting access to the module upload feature to only fully trusted administrators and monitoring or disabling the upload functionality if possible.

Validate and sanitize all uploaded files to prevent malicious archives from being extracted and executed.

Remove any suspicious or unauthorized PHP files found in the application/modules/ directory.

Apply any available patches or updates from the vendor as soon as they are released.

Monitor logs for unusual activity related to module uploads and the Add Module page.

Compliance Impact

The vulnerability allows an authenticated admin to upload malicious code leading to remote code execution, which can result in unauthorized access, modification, or disclosure of sensitive data.

Such unauthorized access and potential data breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring system integrity.

Exploitation of this vulnerability could lead to violations of confidentiality, integrity, and availability requirements mandated by these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10172. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart