SQL Injection Vulnerability in zyx0814 FilePress Filelist API
CVE-2026-8133

6.9MEDIUM

Key Information:

Vendor: Zyx0814
Status: Filepress
Vendor: CVE Published:; 8 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-8133?

A vulnerability discovered in zyx0814 FilePress involves a SQL injection concern within the Shares Filelist API. This loophole allows attackers to manipulate the argument order of the admin.php file, facilitating unauthorized access to the database. Eager exploitation of this vulnerability has been reported publicly, prompting the need for immediate remediation through the application of the patch identified as e20ec58414103f781858f2951d178e19b1736664. Users of FilePress versions up to 2.2.0 must act quickly to mitigate potential threats.

Affected Version(s)

FilePress 2.0

FilePress 2.1

FilePress 2.2.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-8133 - Proof of Concept

References

https://vuldb.com/vuln/361923

vdb-entrytechnical-description

https://vuldb.com/vuln/361923/cti

signaturepermissions-required

https://vuldb.com/submit/808819

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 8, 2026
👾
Exploit known to exist
May 8, 2026
Vulnerability published
May 8, 2026
Vulnerability Reserved
May 7, 2026

Credit

xyhackr (VulDB User)

CVE-2026-8133 Data

JSON

Zyx0814