Server-Side Request Forgery Vulnerability in PHPEMS Instant Exam Creation Handler
CVE-2026-6573

5.3MEDIUM

Key Information:

Vendor

PHPEMS

Status
PHPms
Vendor
CVE Published:
19 April 2026

What is CVE-2026-6573?

A vulnerability in PHPEMS 11.0 has been identified that affects the Instant Exam Creation Handler. Specifically, the issue lies within the temppage function of the exams.master.php file, where improper handling of the uploadfile argument can lead to server-side request forgery (SSRF). This vulnerability allows an attacker to execute remote requests from the server, which may expose sensitive data or allow for further exploitation. As this exploit is now public, it is crucial for users of PHPEMS to implement necessary security measures to safeguard against potential attacks.

Affected Version(s)

PHPEMS 11.0

References

https://vuldb.com/vuln/358207
vdb-entrytechnical-description
https://vuldb.com/vuln/358207/cti
signaturepermissions-required
https://vuldb.com/submit/789990
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

vulnplusbot (VulDB User)
.