CVE-2026-2226
Published: 09 February 2026
Summary
CVE-2026-2226 is a medium-severity Improper Access Control (CWE-284) vulnerability in Douco Douphp. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-2226, published on 2026-02-09, is an unrestricted file upload vulnerability in DouPHP versions up to 1.9. The issue resides in the ZIP File Handler component, specifically within the processing of the /admin/file.php file, where manipulation of the sql_filename argument enables the upload. It is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), and carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
Remote attackers with high privileges, such as authenticated administrators, can exploit this vulnerability with low attack complexity and without requiring user interaction. Successful exploitation allows limited impacts, including low-level disclosure or modification of data (confidentiality and integrity) and denial of service (availability). The exploit has been publicly disclosed and may be actively used.
Advisories providing additional details are available from VulDB at https://vuldb.com/?ctiid.344943, https://vuldb.com/?id.344943, and https://vuldb.com/?submit.753441, as well as a GitHub issue at https://github.com/pengchengwangli/MyCVE/issues/2.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6604
Vulnerability details
A vulnerability has been found in DouPHP up to 1.9. This issue affects some unknown processing of the file /admin/file.php of the component ZIP File Handler. Such manipulation of the argument sql_filename leads to unrestricted upload. The attack can be…
more
launched remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload (CWE-434) in a public-facing web app directly enables exploitation of the application (T1190) to upload and deploy a web shell (T1505.003) or other tools (T1105).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations on the /admin/file.php ZIP handler so that even high-privilege accounts cannot perform the unrestricted sql_filename upload.
Requires validation of file type, content and extension on all inputs to the file-upload function, blocking the dangerous-file upload described in CWE-434.
Deploys malicious-code scanning and blocking at upload time, mitigating the publicly disclosed exploit that allows arbitrary file types to be written to the server.