File Upload Vulnerability in osCommerce by osCommerce
CVE-2009-20006

9.3CRITICAL

Key Information:

Vendor: Oscommerce
Status: Oscommerce
Vendor: CVE Published:; 16 September 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2009-20006?

The administrative file manager in osCommerce versions up to 2.2 RC2a is susceptible to an arbitrary file upload vulnerability. This flaw exists due to inadequate input validation and improper access control within the file management interface (admin/file_manager.php). An unauthenticated attacker can exploit this vulnerability by sending a crafted POST request to upload a malicious PHP file. Once uploaded, this file can be executed on the server, enabling the attacker to run arbitrary code and compromise the system.

Affected Version(s)

osCommerce * <= 2.2 RC2a

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2009-20006 - Proof of Concept

References

https://raw.githubusercontent.com/rapid7/metasploit-frame...

exploit

https://www.exploit-db.com/exploits/9556

exploit

https://www.exploit-db.com/exploits/16899

exploit

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Sep 16, 2025
👾
Exploit known to exist
Sep 16, 2025
Vulnerability published
Sep 16, 2025
Vulnerability Reserved
Aug 27, 2025

Credit

flyh4t

Oscommerce

Badges

What is CVE-2009-20006?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit