CVE-2026-2113
CRITICAL WAF: Medium
CVSS 9.8
Published: 2026-02-07
CWE-20 CWE-502 CWE-434 CWE-502
A security vulnerability has been detected in yuan1994 tpadmin up to 1.3.12. This affects an unknown part in the library /public/static/admin/lib/webuploader/0.1.5/server/preview.php of the component WebUploader. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
WAF Coverage Analysis
Improper Input Validation
Medium WAF Coverage
OWASP: A03:2021 Injection
920xxx - Protocol Enforcement 941xxx - XSS / XXE 942xxx - SQL Injection
Insecure Deserialization
Medium WAF Coverage
OWASP: A08:2021 Software and Data Integrity Failures
944xxx - Java Attack
Unrestricted File Upload
Medium WAF Coverage
OWASP: A04:2021 Insecure Design
930xxx - Local File Inclusion
Insecure Deserialization
Medium WAF Coverage
OWASP: A08:2021 Software and Data Integrity Failures
944xxx - Java Attack
Affected Software
| Vendor | Product | Version |
|---|---|---|
| tpadmin_project | tpadmin | up to 1.3.12 |
References
- github.com (Exploit, Third Party Advisory)
- vuldb.com (Permissions Required, VDB Entry)
- vuldb.com (Third Party Advisory, VDB Entry)
- vuldb.com (Third Party Advisory, VDB Entry)