CVE-2026-2164
Published: 08 February 2026
Summary
CVE-2026-2164 is a medium-severity Improper Access Control (CWE-284) vulnerability in Detronetdip E-Commerce. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-2164 is an unrestricted file upload vulnerability in detronetdip E-commerce version 1.0.0. The flaw resides in the processing of the file /seller/assets/backend/profile/addadhar.php, where manipulation of the "File" argument allows attackers to upload files without restrictions. It is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), carrying a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers can exploit this vulnerability over the network with low complexity, no privileges, and no user interaction required. Successful exploitation grants low-level impacts on confidentiality, integrity, and availability, potentially enabling further compromise depending on the uploaded file type.
Advisories from VulDB and the project's GitHub repository indicate that the issue was reported early via detronetdip/E-commerce/issues/23, but the maintainers have not responded or released patches. A public exploit is available at github.com/Nixon-H/PHP-Unrestricted-Upload-RCE, heightening the risk for unpatched deployments.
The exploit's public release underscores active threat potential against exposed instances of this e-commerce software.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5785
Vulnerability details
A security flaw has been discovered in detronetdip E-commerce 1.0.0. This issue affects some unknown processing of the file /seller/assets/backend/profile/addadhar.php. Performing a manipulation of the argument File results in unrestricted upload. Remote exploitation of the attack is possible. The exploit…
more
has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in a public-facing web app directly enables initial access via exploitation (T1190), web shell deployment for execution/persistence (T1505.003), and arbitrary tool/malware transfer (T1105).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of file type, content, and extension on the File argument processed by addadhar.php, directly blocking unrestricted uploads.
Enforces access-control policy on the upload endpoint so that only authorized, validated file operations are permitted, addressing the CWE-284 flaw.
Deploys malicious-code scanning and blocking at the application or boundary layer to stop dangerous file types from being stored or executed after upload.