CVE-2026-1152 – This vulnerability in technical-laohu mpay up t... (How to Fix)

Q: What is the severity of CVE-2026-1152?

CVE-2026-1152 has a CVSS score of 4.7 (MEDIUM). This vulnerability in technical-laohu mpay up to version 1.2.4 allows remote attackers to upload arbitrary files via the QR Code Image Handler component. The unrestricted file upload vulnerability can lead to server compromise or data exfiltration. All users running affected versions are at risk.

📋 TL;DR

This vulnerability in technical-laohu mpay up to version 1.2.4 allows remote attackers to upload arbitrary files via the QR Code Image Handler component. The unrestricted file upload vulnerability can lead to server compromise or data exfiltration. All users running affected versions are at risk.

💻 Affected Systems

Products:

technical-laohu mpay

Versions: Up to and including 1.2.4

Operating Systems: Any OS running the software

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the QR Code Image Handler component specifically

📦 What is this software?

Mpay by Technical Laohu

View all CVEs affecting Mpay →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Malicious file upload enabling web shell installation, data manipulation, or denial of service

🟢

If Mitigated

Limited impact with proper file upload validation and server hardening

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit disclosed publicly on GitHub, remote attack vector

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider upgrading if vendor releases fix or implementing workarounds.

🔧 Temporary Workarounds

File Upload Restriction

all

Implement strict file upload validation for QR Code Image Handler

# Configure web server to restrict uploads to specific file types and sizes
# Example for Apache: LimitRequestBody 1048576
# Example for Nginx: client_max_body_size 1m

Input Validation

all

Add server-side validation for codeimg parameter

# Validate file type, size, and content before processing
# Example PHP: if (!in_array($file_type, ['image/png', 'image/jpeg'])) { die('Invalid file type'); }

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block malicious upload patterns
Isolate the affected system from critical networks and implement network segmentation

🔍 How to Verify

Check if Vulnerable:

Check if technical-laohu mpay version is 1.2.4 or earlier

Check Version:

# Check version in application configuration or package manager

Verify Fix Applied:

Test file upload functionality with malicious payloads to ensure proper validation

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to QR Code handler
Large or unexpected file types in upload logs
Failed upload attempts with suspicious filenames

Network Indicators:

HTTP POST requests to QR Code Image Handler with unusual payloads
File uploads with non-image extensions

SIEM Query:

source="web_logs" AND (uri="*qr*" OR uri="*upload*") AND (method="POST") AND (size>1048576 OR file_type!="image/*")

📊 Metadata

CVE ID: CVE-2026-1152

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-284

EPSS Score: 0.04% exploit probability (10.7th percentile)

Published: January 19, 2026

Last Updated: February 6, 2026

🔗 References

https://github.com/bdkuzma/vuln/issues/17 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.341745 Permissions Required,VDB Entry
https://vuldb.com/?id.341745 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.735775 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1152, you might also want to check these: