CVE-2026-2226 – This vulnerability in DouPHP allows attackers t... (How to Fix)

Q: What is the severity of CVE-2026-2226?

CVE-2026-2226 has a CVSS score of 4.7 (MEDIUM). This vulnerability in DouPHP allows attackers to upload arbitrary files without restrictions via the /admin/file.php ZIP file handler by manipulating the sql_filename parameter. Attackers can exploit this remotely to upload malicious files like web shells. All DouPHP installations up to version 1.9 with the vulnerable component are affected.

📋 TL;DR

This vulnerability in DouPHP allows attackers to upload arbitrary files without restrictions via the /admin/file.php ZIP file handler by manipulating the sql_filename parameter. Attackers can exploit this remotely to upload malicious files like web shells. All DouPHP installations up to version 1.9 with the vulnerable component are affected.

💻 Affected Systems

Products:

DouPHP

Versions: Up to and including version 1.9

Operating Systems: All operating systems running DouPHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the ZIP file handler component in /admin/file.php to be accessible; admin interface access may be required but exploit details suggest unauthenticated access is possible.

📦 What is this software?

Douphp by Douco

View all CVEs affecting Douphp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through web shell upload leading to remote code execution, data theft, and lateral movement within the network.

🟠

Likely Case

Unauthorized file upload leading to web shell deployment, website defacement, or malware distribution.

🟢

If Mitigated

Limited impact with proper file upload validation and access controls preventing exploitation.

🌐 Internet-Facing: HIGH - Attack can be launched remotely without authentication, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require network access; risk increases if internal users can access the admin interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit has been publicly disclosed on GitHub and vuldb.com; simple manipulation of sql_filename parameter leads to unrestricted upload.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found in provided references

Restart Required: No

Instructions:

No official patch available; upgrade to a version beyond 1.9 if released, or apply workarounds.

🔧 Temporary Workarounds

Restrict access to /admin/file.php

all

Block or restrict access to the vulnerable file handler to prevent exploitation.

# Apache: Add to .htaccess
<Files "file.php">
    Order Deny,Allow
    Deny from all
</Files>
# Nginx: Add to server block
location ~ /admin/file\.php$ {
    deny all;
}

Implement file upload validation

all

Add server-side validation to restrict uploaded file types and names.

# Example PHP validation snippet
$allowed_extensions = ['zip', 'txt'];
$filename = $_POST['sql_filename'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if (!in_array($ext, $allowed_extensions)) {
    die('Invalid file type');
}

🧯 If You Can't Patch

Disable or remove the ZIP file handler component if not required.
Implement web application firewall (WAF) rules to block requests to /admin/file.php with suspicious parameters.

🔍 How to Verify

Check if Vulnerable:

Check if DouPHP version is 1.9 or earlier and if /admin/file.php is accessible; attempt to upload a file via sql_filename parameter.

Check Version:

Check DouPHP configuration files or admin panel for version information; typically in includes/version.php or similar.

Verify Fix Applied:

Verify that access to /admin/file.php is blocked or file upload validation prevents arbitrary uploads; test with malicious file upload attempts.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /admin/file.php with sql_filename parameter
File uploads with unexpected extensions (e.g., .php, .jsp) in upload directories

Network Indicators:

HTTP traffic to /admin/file.php with file upload patterns
Outbound connections from server after file upload

SIEM Query:

source="web_logs" AND uri="/admin/file.php" AND method="POST" AND params LIKE "%sql_filename%"

📊 Metadata

CVE ID: CVE-2026-2226

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-284

EPSS Score: 0.03% exploit probability (9.2th percentile)

Published: February 9, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/pengchengwangli/MyCVE/issues/2 Exploit,Issue Tracking,Mitigation,Third Party Advisory
https://vuldb.com/?ctiid.344943 Permissions Required,VDB Entry
https://vuldb.com/?id.344943 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.753441 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2226, you might also want to check these: