CVE-2026-15530
Received Received - Intake

Information Disclosure in WuzhiCMS via Attachment API

Vulnerability report for CVE-2026-15530, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A flaw has been found in WuzhiCMS up to 4.1.0. Affected by this vulnerability is the function config/listimage of the file /index.php?m=attachment&f=index&v=upload of the component Attachment API. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
wuzhicms wuzhicms to 4.1.0 (inc)
wuzhicms wuzhicms to 4.1.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in WuzhiCMS allows unauthorized remote attackers to disclose sensitive information such as system configurations and uploaded files, including member uploads and admin media. This exposure of potentially sensitive personal or organizational data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Specifically, the lack of proper authentication checks in the Attachment API enables attackers to enumerate and access files and configuration details that may contain personal or confidential data. This undermines the confidentiality principle mandated by these regulations, increasing the risk of data breaches and regulatory penalties.

To maintain compliance, organizations using affected versions of WuzhiCMS must implement proper authentication and access controls to prevent unauthorized data disclosure.

Executive Summary

CVE-2026-15530 is a vulnerability in WuzhiCMS up to version 4.1.0 affecting the Attachment API component, specifically the config/listimage function in the file /index.php?m=attachment&f=index&v=upload. This flaw allows unauthenticated remote attackers to access sensitive information by bypassing authorization checks.

The vulnerability enables attackers to disclose system configurations such as allowed file types, size limits, storage paths, and remote-fetch settings, as well as enumerate uploaded attachments including their direct URLs and metadata. Attackers can also perform keyword-based searches to find specific files.

Impact Analysis

This vulnerability can lead to information disclosure by exposing sensitive files and system configuration details to unauthorized users. Attackers can access member uploads, administrative media, documents, and other attachments without authentication.

Such exposure can facilitate further attacks by revealing system settings and file locations, potentially compromising the confidentiality of data stored on the affected system.

Detection Guidance

This vulnerability can be detected by sending specific HTTP GET requests to the affected WuzhiCMS server endpoints and observing the responses for unauthorized information disclosure.

  • Send a GET request to /index.php?m=attachment&f=index&v=upload&action=config to check if configuration details such as allowed file types, size limits, storage paths, and remote-fetch settings are disclosed.
  • Send a GET request to /index.php?m=attachment&f=index&v=upload&action=listimage to see if a list of uploaded files with direct URLs and metadata is returned.
  • Send a GET request to /index.php?m=attachment&f=index&v=upload&action=listimage&q=keyword (e.g., q=invoice) to test if keyword-based search for attachments is possible.

These requests can be performed using command-line tools such as curl. For example:

  • curl -i "http://target/index.php?m=attachment&f=index&v=upload&action=config"
  • curl -i "http://target/index.php?m=attachment&f=index&v=upload&action=listimage"
  • curl -i "http://target/index.php?m=attachment&f=index&v=upload&action=listimage&q=invoice"
Mitigation Strategies

Immediate mitigation steps include implementing proper authentication and authorization checks on the Attachment API endpoints to prevent unauthenticated access.

Specifically, restrict access to configuration information and attachment listings only to authenticated users and scope file listings to the ownership of the authenticated user.

Additionally, monitor and restrict access to the vulnerable endpoints and consider applying any available patches or updates once released.

As a temporary measure, you may also block or filter requests to the vulnerable URLs at the web application firewall or server level to reduce exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15530. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart