Primary

Context

phpKF CMS Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability has been identified in phpKF CMS version 3.00 Beta y6. This vulnerability allows unauthenticated attackers to upload files and execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted web shell parameter.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where phpKF CMS is hosted.

Reproduction

The vulnerability can be reproduced by uploading a PHP file disguised as a PNG file through the application's file upload mechanism, which fails to properly validate file extensions. After uploading the file, it can be renamed and executed via a web shell parameter.

Added: Jan 15, 2026, 4:51 PM

Updated: Jan 15, 2026, 7:42 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.7

remediation

0.0

relevance

2.1

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.7

remediation

0.0

relevance

2.1

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

phpKF CMS Remote Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating