Unauthenticated Information Disclosure in phpUploader by Shimosyan
CVE-2026-56124

8.7HIGH

Key Information:

Vendor

Shimosyan

Status
PHPuploader
Vendor
CVE Published:
29 June 2026

What is CVE-2026-56124?

phpUploader versions prior to 2.0.2 suffer from an unauthenticated information disclosure vulnerability. This flaw allows remote attackers to access sensitive data stored in the uploaded-files database table by simply visiting any page within the application. The vulnerability arises due to the index model executing an unbounded SELECT query, which leads to the complete JSON-encoded result set being embedded in an inline script block. This, in turn, exposes critical information, including uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints. It poses significant risks for data privacy and system integrity, making it imperative for users to upgrade to the patched version.

Affected Version(s)

phpUploader 0

References

https://github.com/shimosyan/phpUploader/releases/tag/v2.0.2
release-notes
https://github.com/shimosyan/phpUploader/pull/294
issue-tracking
https://github.com/shimosyan/phpUploader/commit/45dc4f1c9...
patch

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

@rayyb0t (https://github.com/rayyb0t)
VulnCheck
.