Cyber Resilience

CVE-2026-2226

MediumPublic PoC

Published: 09 February 2026

Published
09 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 7.5th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2226 is a medium-severity Improper Access Control (CWE-284) vulnerability in Douco Douphp. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2226, published on 2026-02-09, is an unrestricted file upload vulnerability in DouPHP versions up to 1.9. The issue resides in the ZIP File Handler component, specifically within the processing of the /admin/file.php file, where manipulation of the sql_filename argument enables the upload. It is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), and carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

Remote attackers with high privileges, such as authenticated administrators, can exploit this vulnerability with low attack complexity and without requiring user interaction. Successful exploitation allows limited impacts, including low-level disclosure or modification of data (confidentiality and integrity) and denial of service (availability). The exploit has been publicly disclosed and may be actively used.

Advisories providing additional details are available from VulDB at https://vuldb.com/?ctiid.344943, https://vuldb.com/?id.344943, and https://vuldb.com/?submit.753441, as well as a GitHub issue at https://github.com/pengchengwangli/MyCVE/issues/2.

EU & UK References

Vulnerability details

A vulnerability has been found in DouPHP up to 1.9. This issue affects some unknown processing of the file /admin/file.php of the component ZIP File Handler. Such manipulation of the argument sql_filename leads to unrestricted upload. The attack can be…

more

launched remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Unrestricted file upload (CWE-434) in a public-facing web app directly enables exploitation of the application (T1190) to upload and deploy a web shell (T1505.003) or other tools (T1105).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1107Shared CWE-284, CWE-434
CVE-2025-0722Shared CWE-284, CWE-434
CVE-2025-2687Shared CWE-284, CWE-434
CVE-2026-4221Shared CWE-284, CWE-434
CVE-2024-13133Shared CWE-284, CWE-434
CVE-2026-1424Shared CWE-284, CWE-434
CVE-2025-0460Shared CWE-284, CWE-434
CVE-2025-2350Shared CWE-284, CWE-434
CVE-2025-1166Shared CWE-284, CWE-434
CVE-2025-2115Shared CWE-284, CWE-434

Affected Assets

douco
douphp
≤ 1.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations on the /admin/file.php ZIP handler so that even high-privilege accounts cannot perform the unrestricted sql_filename upload.

prevent

Requires validation of file type, content and extension on all inputs to the file-upload function, blocking the dangerous-file upload described in CWE-434.

preventdetect

Deploys malicious-code scanning and blocking at upload time, mitigating the publicly disclosed exploit that allows arbitrary file types to be written to the server.

References