CVE-2026-56124
HIGHDescription
phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Other References
Frequently Asked Questions
What is CVE-2026-56124? +
How severe is CVE-2026-56124? +
How do I check if I'm vulnerable to CVE-2026-56124? +
Related Vulnerabilities
A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full …
An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 …
In Gemini iOS, when a user shared a snippet of a conversation, it would share the entire conversation via a …
gpp-burgerportaal is a Dutch government citizen portal application. In versions before 2.0.3, 3.0.2, and 4.0.1, the name and email address …
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions …
Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere …