CVE-2026-56124
Received Received - Intake

Information Disclosure in phpUploader Before 2.0.2

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulnCheck

Description
phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-56124
EUVD
EUVD-2026-40114

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
phpuploader phpuploader to 2.0.2 (exc)
shimosyan phpuploader to 2.0.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
CWE-497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

phpUploader before version 2.0.2 contains an unauthenticated information disclosure vulnerability. This flaw allows remote attackers to access the full contents of the uploaded-files database table simply by visiting any page of the application.

The vulnerability arises because the index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block. This exposes sensitive information such as uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.

Impact Analysis

This vulnerability can lead to significant privacy and security risks because it exposes sensitive metadata without any authentication.

  • Attackers can obtain uploader IP addresses, which may reveal user locations or identities.
  • Exposure of Argon2ID key hashes could potentially aid attackers in compromising authentication or encryption mechanisms.
  • Internal filenames and SHA-256 fingerprints being disclosed can reveal internal system details and file integrity information.

Overall, this can lead to unauthorized data exposure, privacy violations, and could be leveraged for further attacks against the system or its users.

Detection Guidance

This vulnerability can be detected by checking if the phpUploader application version is prior to 2.0.2, as all versions before this contain the unauthenticated information disclosure flaw.

To detect exploitation attempts or presence of the vulnerability, you can monitor HTTP requests to any page of the phpUploader application and inspect responses for JSON-encoded data embedded in inline script blocks that expose sensitive information such as uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.

Suggested commands to detect this on a system or network include:

  • Use curl or wget to fetch pages from the phpUploader application and grep for sensitive fields in the response, for example: curl -s http://your-phpuploader-url/ | grep -E 'ip_address|dl_key_hash|del_key_hash|stored_file_name|file_hash'
  • Use network traffic capture tools like tcpdump or Wireshark to monitor HTTP responses from the phpUploader server and search for JSON data containing sensitive fields.
  • Check the installed phpUploader version by inspecting the application files or version metadata to confirm if it is older than 2.0.2.
Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to upgrade phpUploader to version 2.0.2 or later, as this version includes a patch that restricts metadata exposure and improves JSON escaping to prevent information disclosure.

If upgrading immediately is not possible, consider restricting access to the phpUploader application pages to trusted users or networks to prevent unauthenticated remote attackers from accessing sensitive data.

Additionally, review and limit the data exposed in the uploaded files listing by configuring or patching the application to exclude sensitive fields such as IP addresses, key hashes, internal filenames, and file hashes.

Compliance Impact

The vulnerability in phpUploader before version 2.0.2 allows unauthenticated remote attackers to access sensitive information stored in the uploaded-files database table. This includes uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.

Exposure of such private and sensitive data can lead to non-compliance with data protection regulations and standards such as GDPR and HIPAA, which require protection of personal and sensitive information from unauthorized access.

Specifically, the vulnerability is associated with CWE-359 (Exposure of Private Personal Information) and CWE-497 (Exposure of Sensitive System Information), indicating a risk of violating privacy and security requirements mandated by these regulations.

Therefore, organizations using vulnerable versions of phpUploader may face compliance risks due to unauthorized disclosure of personal and sensitive data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56124. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart