Primary

Context

Jackying H-ui.admin Remote Code Execution Vulnerability via Unrestricted File Upload

Vulnerability

A remote code execution vulnerability has been identified in Jackying H-ui.admin versions through 3.1. The issue arises in the WebUploader component, specifically within the file preview.php, located in the server directory of version 0.1.5. This vulnerability allows unauthenticated attackers to upload arbitrary PHP files to the web server, which can then be executed with the privileges of the web server user.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running under the web server's privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/lib/webuploader/0.1.5/server/preview.php' with a payload that includes a PHP file encoded in base64, using the 'data:image/php;base64,' format. This can be done using tools like Burp Suite to intercept and modify the request.

Added: Jan 2, 2026, 4:17 AM

Updated: Jan 2, 2026, 4:17 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.7

remediation

0.0

relevance

1.9

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.7

remediation

0.0

relevance

1.9

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jackying H-ui.admin Remote Code Execution Vulnerability via Unrestricted File Upload

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating