CVE-2026-56124
Published: 29 June 2026
Summary
CVE-2026-56124 is a high-severity Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-40114
Vulnerability details
phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds…
more
the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated exposure of full uploaded-files DB table contents directly enables T1213.006 Data from Information Repositories: Databases.
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Preventing nonpublic personal information from public posting reduces unauthorized exposure of private personal data.
The control detects and protects against mining of private personal information, reducing unauthorized exposure of PII.
Tracking locations of sensitive data and access users reduces risk of private personal information exposure.
Explicitly limits use of private personal information (PII) for non-operational purposes, reducing opportunities for its exposure outside production systems.
Explicit categorization of PII ensures stronger privacy controls are applied and approved before system operation.
Tainting enables identification of exfiltration of private personal information to unauthorized parties.
Automated marking identifies private personal information in outputs, tangibly reducing the ability to exploit weaknesses that result in its unauthorized exposure.
Privacy-specific attributes and their controlled association directly reduce exposure of private personal information through missing or incorrect labeling.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (2 rules)
- V-248580 OL 8 must prevent kernel profiling by unprivileged users. via CWE-497
- V-248551 A sticky bit must be set on all OL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. via CWE-497
RHEL 8 (1 rule)
- V-230270 RHEL 8 must prevent kernel profiling by unprivileged users. via CWE-497
Ubuntu 22.04 (2 rules)
- V-260470 Ubuntu 22.04 LTS, when booted, must require authentication upon booting into single-user and maintenance modes. via CWE-497
- V-260531 Ubuntu 22.04 LTS must configure the SSH daemon to use FIPS 140-3-approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission. via CWE-359
Ubuntu 24.04 (2 rules)
- V-270675 Ubuntu 24.04 LTS when booted must require authentication upon booting into single-user and maintenance modes. via CWE-497
- V-270670 Ubuntu 24.04 LTS must configure the SSH client to use FIPS 140-3 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission. via CWE-359