Login Sign Up

CVE-2026-2113

7.3 HIGH
Remote Code Execution Deserialization

📋 TL;DR

This CVE describes a remote code execution vulnerability in yuan1994 tpadmin's WebUploader component through insecure deserialization in preview.php. Attackers can exploit this to execute arbitrary code on affected systems. Only affects tpadmin versions up to 1.3.12, which are no longer supported by the maintainer.

💻 Affected Systems

Products:
  • yuan1994 tpadmin
Versions: up to 1.3.12
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with WebUploader component enabled and accessible via /public/static/admin/lib/webuploader/0.1.5/server/preview.php

📦 What is this software?

Tpadmin by Tpadmin Project

View all CVEs affecting Tpadmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to web server compromise, data exfiltration, or deployment of web shells.

🟢

If Mitigated

Limited impact if proper network segmentation, WAF rules, and input validation are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available in GitHub repositories, making this easily weaponizable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: None

Restart Required: No

Instructions:

No official patch available as product is no longer supported. Consider migrating to supported alternative or implementing workarounds.

🔧 Temporary Workarounds

Block access to vulnerable endpoint

all

Restrict access to the vulnerable preview.php file using web server configuration

# Apache: RewriteRule ^/public/static/admin/lib/webuploader/0.1.5/server/preview\.php$ - [F]
# Nginx: location ~ /public/static/admin/lib/webuploader/0.1.5/server/preview\.php$ { deny all; }

Remove vulnerable file

linux

Delete or rename the vulnerable preview.php file

rm /path/to/public/static/admin/lib/webuploader/0.1.5/server/preview.php

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate affected systems
  • Deploy web application firewall with rules to block deserialization attacks

🔍 How to Verify

Check if Vulnerable:

Check if file exists: /public/static/admin/lib/webuploader/0.1.5/server/preview.php and version is ≤1.3.12

Check Version:

Check tpadmin version in configuration files or admin interface

Verify Fix Applied:

Verify preview.php is inaccessible or removed, and test with known exploit payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to preview.php
  • PHP deserialization errors in logs
  • Suspicious file upload attempts

Network Indicators:

  • HTTP requests to /public/static/admin/lib/webuploader/0.1.5/server/preview.php with serialized data

SIEM Query:

source="web_logs" AND uri="/public/static/admin/lib/webuploader/0.1.5/server/preview.php" AND (method="POST" OR contains(body, "O:"))

📊 Metadata

CVE ID: CVE-2026-2113
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20
EPSS Score: 0.04% exploit probability (13th percentile)
Published: February 7, 2026
Last Updated: March 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2113, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)