Cyber Resilience

CVE-2026-1107

Medium

Published: 18 January 2026

Published
18 January 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0048 37.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1107 is a medium-severity Improper Access Control (CWE-284) vulnerability in Eyoucms Eyoucms. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1107 is a vulnerability in EyouCMS versions up to 1.7.1 and 5.0, specifically impacting the check_userinfo function in the Diyajax.php file of the Member Avatar Handler component. The issue arises from manipulation of the viewfile argument, enabling unrestricted file upload. It is rated at CVSS 6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is associated with CWEs 284 (Improper Access Control) and 434 (Unrestricted Upload of File with Dangerous Type).

The vulnerability can be exploited remotely by an attacker possessing low privileges, such as a registered user. Exploitation allows limited impacts on confidentiality, integrity, and availability, potentially leading to code execution through file inclusion as demonstrated in public proofs-of-concept.

Advisories from VulDB note the issue was disclosed on 2026-01-18, with the vendor contacted early but providing no response or patches. GitHub repositories host detailed exploit documentation and a proof-of-concept for EyouCMS 1.7.1, confirming the viewfile parameter's role in enabling remote code execution via local file inclusion.

The exploit is publicly available and could be used for attacks, though no real-world exploitation in the wild is documented in the provided references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A weakness has been identified in EyouCMS up to 1.7.1/5.0. Impacted is the function check_userinfo of the file Diyajax.php of the component Member Avatar Handler. Executing a manipulation of the argument viewfile can lead to unrestricted upload. The attack may…

more

be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Unrestricted file upload (CWE-434) in public-facing web app enables remote upload of web shell for RCE via file inclusion; directly maps to initial access via public app exploit, web shell deployment, and ingress tool transfer.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-65868Same product: Eyoucms Eyoucms
CVE-2026-3025Shared CWE-284, CWE-434
CVE-2025-0460Shared CWE-284, CWE-434
CVE-2026-2684Shared CWE-284, CWE-434
CVE-2025-1555Shared CWE-284, CWE-434
CVE-2026-2977Shared CWE-284, CWE-434
CVE-2026-4201Shared CWE-284, CWE-434
CVE-2025-2350Shared CWE-284, CWE-434
CVE-2026-2978Shared CWE-284, CWE-434
CVE-2025-2115Shared CWE-284, CWE-434

Affected Assets

eyoucms
eyoucms
1.7.0, 1.7.1, 5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks manipulation of the viewfile argument in check_userinfo by enforcing validation of file types, paths, and content before any upload or inclusion occurs.

prevent

Enforces access-control decisions on the Member Avatar Handler so that only explicitly authorized operations on viewfile are permitted, stopping the unrestricted upload path.

prevent

Restricts the web application to least functionality by disabling or sandboxing file-upload features in Diyajax.php that are not strictly required for avatar handling.

References