CVE-2026-8133
Received Received - Intake
SQL Injection in FilePress up to 2.2.0

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: VulDB

Description
A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file dzz/shares/admin.php of the component Shares Filelist API. Such manipulation of the argument order leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The name of the patch is e20ec58414103f781858f2951d178e19b1736664. A patch should be applied to remediate this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-8133
EUVD
EUVD-2026-28522
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zyx0814 filepress to 2.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8133 is a critical pre-authentication SQL injection vulnerability in the FilePress application. It arises because the 'order' parameter in certain API endpoints (notably in dzz/shares/admin.php and dzz/shares/ajax.php) is not properly validated or sanitized before being used directly in SQL ORDER BY clauses.

This lack of validation allows unauthenticated attackers to inject arbitrary SQL commands by manipulating the 'order' parameter in GET requests. Exploiting this vulnerability requires creating multiple anonymous share records and bypassing certain application filters, enabling attackers to perform time-based blind SQL injection attacks.

Successful exploitation can lead to extraction of sensitive data such as administrator credentials (username, password hash, and salt) and potentially full database compromise.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive data stored in the FilePress database.

  • Attackers can extract administrator credentials such as usernames, password hashes, and salts.
  • Full database compromise is possible, allowing attackers to retrieve user records, configuration details, and file attachment paths.
  • With stolen admin credentials, attackers can log into the backend panel and potentially execute remote code by installing malicious plugins.

Overall, this can lead to complete loss of data confidentiality, integrity, and availability within the affected system.

Detection Guidance

This vulnerability can be detected by testing the 'order' parameter in GET requests to the Shares Filelist API endpoints, specifically in requests to dzz/shares/admin.php or dzz/shares/ajax.php. An unauthenticated attacker can inject SQL commands by manipulating this parameter.

Detection involves sending crafted HTTP GET requests with different 'order' parameter values to observe if SQL injection is possible. For example, testing with values other than 'asc' or 'desc' and checking for SQL errors or time delays can indicate vulnerability.

Commands to test might include using curl or similar tools to send requests like:

  • curl "http://target/index.php?mod=shares&op=ajax&do=filelist&order=asc"
  • curl "http://target/index.php?mod=shares&op=ajax&do=filelist&order=desc"
  • curl "http://target/index.php?mod=shares&op=ajax&do=filelist&order=asc;SLEEP(5)--" (to test for time-based SQL injection)

Additionally, creating multiple anonymous share records via the shareAddSubmit endpoint and then performing time-based blind SQL injection tests can confirm exploitation.

Mitigation Strategies

The immediate mitigation step is to apply the official patch that enforces strict validation of the 'order' parameter, allowing only 'asc' or 'desc' values. This patch normalizes the parameter to lowercase and uses strict type comparison to prevent SQL injection.

Other recommended mitigations include:

  • Add authentication requirements to the filelist API and shareAddSubmit endpoints to prevent unauthenticated access.
  • Restrict or disable the creation of anonymous share records (uid=0) via unauthenticated requests.
  • Monitor and block suspicious requests that attempt to manipulate the 'order' parameter or exploit SQL injection.

Applying the patch identified by commit e20ec58414103f781858f2951d178e19b1736664 is critical to remediate this issue.

Compliance Impact

CVE-2026-8133 is a critical pre-authentication SQL injection vulnerability that allows unauthenticated attackers to extract sensitive data, including administrator credentials, from the database. Successful exploitation can lead to full database compromise, exposing user records, configuration data, and attachment paths.

Such unauthorized access and data exposure can lead to violations of common data protection standards and regulations like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and breaches.

Failure to remediate this vulnerability could result in non-compliance due to potential data breaches, unauthorized data disclosure, and lack of adequate security controls.

Applying the recommended patch and security measures (such as whitelisting parameters and adding authentication) is essential to maintain compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8133. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart