CVE-2026-1152
Published: 19 January 2026
Summary
CVE-2026-1152 is a medium-severity Improper Access Control (CWE-284) vulnerability in Technical-Laohu Mpay. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-1152 is a vulnerability in technical-laohu mpay versions up to 1.2.4, affecting an unknown function within the QR Code Image Handler component. The issue enables unrestricted upload through manipulation of the codeimg argument, as documented in the CVE description published on 2026-01-19.
The vulnerability is remotely exploitable over the network with low attack complexity and no user interaction required, but it demands high privileges from the attacker (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L, base score 4.7). Successful exploitation allows limited impacts on confidentiality, integrity, and availability, stemming from CWEs 284 (Improper Access Control) and 434 (Unrestricted Upload of File with Dangerous Type). The exploit has been publicly disclosed and may be used by privileged remote attackers.
Advisories and further details are available at https://github.com/bdkuzma/vuln/issues/17, https://vuldb.com/?ctiid.341745, https://vuldb.com/?id.341745, and https://vuldb.com/?submit.735775.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3225
Vulnerability details
A security vulnerability has been detected in technical-laohu mpay up to 1.2.4. The impacted element is an unknown function of the component QR Code Image Handler. Such manipulation of the argument codeimg leads to unrestricted upload. The attack may be…
more
launched remotely. The exploit has been disclosed publicly and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload of dangerous types in a public-facing web app component directly enables remote exploitation (T1190) and web shell deployment (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access-control policy on the QR Code Image Handler so that only explicitly authorized operations may write files via the codeimg argument.
Requires validation of all input (including uploaded file type, content and extension) before the image handler accepts the codeimg argument, directly blocking unrestricted uploads.
Limits the set of users granted the high privileges needed to reach the vulnerable upload function, reducing the attack surface for CVE-2026-1152.