CVE-2026-15518
Received Received - Intake

Unrestricted File Upload in AREA 17 Twill CMS

Vulnerability report for CVE-2026-15518, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A vulnerability has been found in AREA 17 Twill CMS up to 3.6.0. The impacted element is the function FileLibraryController::storeFile of the file src/Http/Controllers/Admin/FileLibraryController.php of the component Media Library Insert Page. Such manipulation of the argument qqfilename leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
area_17 twill_cms to 3.6.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated users with Publisher privileges to upload arbitrary files, including executable PHP files, leading to remote code execution and potential full system compromise.

Such a compromise can result in unauthorized access to sensitive data, data theft, and persistent unauthorized access, which may violate data protection requirements under standards like GDPR and HIPAA.

Because the vulnerability enables bypassing intended access controls and exposes the system to remote exploitation, it undermines the confidentiality, integrity, and availability of data, core principles required by these regulations.

Impact Analysis

This vulnerability can have severe impacts including full system compromise. An attacker can execute arbitrary code on the server, potentially leading to data theft, unauthorized access, and persistent control over the affected system.

Since the exploit requires only standard Publisher privileges and no special configuration, it is straightforward to exploit in default installations, increasing the risk.

Executive Summary

CVE-2026-15518 is a vulnerability in AREA 17 Twill CMS version 3.6.0 that allows authenticated users with the Publisher role to upload arbitrary files without proper validation. The issue lies in the FileLibraryController::storeFile function, which does not validate the filename or file type, allowing attackers to upload malicious files such as PHP scripts.

Because the uploaded files are stored with their original extensions in a publicly accessible directory, an attacker can upload a PHP file and execute it remotely by accessing its URL. This leads to remote code execution (RCE) on the server with the privileges of the web server user.

Detection Guidance

This vulnerability can be detected by checking if the File Library upload endpoint in Twill CMS version 3.6.0 allows authenticated users with Publisher role privileges to upload files without proper validation.

One way to detect it is to attempt uploading a PHP file through the file upload interface and then verify if the file is stored with its original extension in a publicly accessible directory.

Commands to detect this might include using curl or similar tools to upload a test PHP file and then accessing the uploaded file URL to check if it executes.

  • curl -F "qqfilename=test.php" -F "[email protected]" -u publisher_user:password https://target-site.com/admin/file-library/upload
  • curl https://target-site.com/uploads/test.php

If the uploaded PHP file executes (e.g., returns PHP info or a custom payload output), the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include restricting or disabling file uploads for users with Publisher role privileges until a patch or fix is available.

Additionally, restrict public access to the uploads directory to prevent execution of uploaded files.

Implement server-side validation to block uploading of executable file types such as PHP.

Monitor and remove any suspicious files that may have been uploaded.

Consider applying web server configuration changes to disable execution of scripts in the uploads directory.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15518. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart