CVE-2026-2113
7.3 HIGHPublished 2026-02-07 · Modified 2026-02-09 · Awaiting Analysis
Quick Summary
A vulnerability in the WebUploader component of the unsupported yuan1994 tpadmin software allows remote attackers to execute harmful code by sending specially crafted data. This is a serious issue because it can be exploited easily over the network.
Who is affected
Users of tpadmin versions up to 1.3.12 are affected. An attacker could potentially take control of the server by exploiting this deserialization flaw.
Recommended fix
Since the software is no longer supported, the only safe remediation is to remove or replace the tpadmin application. If it must stay, strictly isolate it behind a firewall and block external access to the vulnerable `/public/static/admin/lib/webuploader/` directory.
Technical Description
A security vulnerability has been detected in yuan1994 tpadmin up to 1.3.12. This affects an unknown part in the library /public/static/admin/lib/webuploader/0.1.5/server/preview.php of the component WebUploader. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-502, CWE-20