Cyber Resilience

CVE-2026-2164

MediumPublic PoC

Published: 08 February 2026

Published
08 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0045 35.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2164 is a medium-severity Improper Access Control (CWE-284) vulnerability in Detronetdip E-Commerce. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2164 is an unrestricted file upload vulnerability in detronetdip E-commerce version 1.0.0. The flaw resides in the processing of the file /seller/assets/backend/profile/addadhar.php, where manipulation of the "File" argument allows attackers to upload files without restrictions. It is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), carrying a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote attackers can exploit this vulnerability over the network with low complexity, no privileges, and no user interaction required. Successful exploitation grants low-level impacts on confidentiality, integrity, and availability, potentially enabling further compromise depending on the uploaded file type.

Advisories from VulDB and the project's GitHub repository indicate that the issue was reported early via detronetdip/E-commerce/issues/23, but the maintainers have not responded or released patches. A public exploit is available at github.com/Nixon-H/PHP-Unrestricted-Upload-RCE, heightening the risk for unpatched deployments.

The exploit's public release underscores active threat potential against exposed instances of this e-commerce software.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in detronetdip E-commerce 1.0.0. This issue affects some unknown processing of the file /seller/assets/backend/profile/addadhar.php. Performing a manipulation of the argument File results in unrestricted upload. Remote exploitation of the attack is possible. The exploit…

more

has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Unrestricted file upload in a public-facing web app directly enables initial access via exploitation (T1190), web shell deployment for execution/persistence (T1505.003), and arbitrary tool/malware transfer (T1105).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15582Same product: Detronetdip E-Commerce
CVE-2026-2165Same product: Detronetdip E-Commerce
CVE-2026-3025Shared CWE-284, CWE-434
CVE-2025-0460Shared CWE-284, CWE-434
CVE-2026-2684Shared CWE-284, CWE-434
CVE-2025-1555Shared CWE-284, CWE-434
CVE-2026-2977Shared CWE-284, CWE-434
CVE-2026-4201Shared CWE-284, CWE-434
CVE-2025-2350Shared CWE-284, CWE-434
CVE-2026-2978Shared CWE-284, CWE-434

Affected Assets

detronetdip
e-commerce
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of file type, content, and extension on the File argument processed by addadhar.php, directly blocking unrestricted uploads.

prevent

Enforces access-control policy on the upload endpoint so that only authorized, validated file operations are permitted, addressing the CWE-284 flaw.

preventdetect

Deploys malicious-code scanning and blocking at the application or boundary layer to stop dangerous file types from being stored or executed after upload.

References