FeehiCMS index.php insert unrestricted upload
Description
A vulnerability was found in FeehiCMS up to 2.1.1 and classified as critical. This issue affects the function insert of the file /admin/index.php?r=user%2Fcreate. The manipulation of the argument User[avatar] leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FeehiCMS up to 2.1.1 contains an unrestricted file upload vulnerability via the User[avatar] parameter, allowing remote attackers to upload arbitrary files.
A critical unrestricted file upload vulnerability exists in FeehiCMS versions up to 2.1.1. The flaw resides in the insert function of the user creation endpoint /admin/index.php?r=user%2Fcreate, where the User[avatar] parameter is not properly validated. This allows an attacker to upload arbitrary files without restriction [1].
Exploitation of this vulnerability can be performed remotely, as stated in the advisory. No authentication is explicitly mentioned, though the endpoint is part of the admin panel, which may require prior access. The lack of server-side validation on the file type leads to a direct file upload bypass [1].
Successful exploitation could allow an attacker to upload a malicious script (e.g., PHP web shell) that can be executed on the server, leading to remote code execution, data compromise, and full server takeover. Given that the exploit has been publicly disclosed, the risk is elevated [1].
The vendor was contacted but did not respond, meaning no official patch or workaround has been released. Users are advised to apply strict file upload restrictions (e.g., allow only image types, restrict execution permissions) or consider migrating to alternative solutions. The public availability of exploit details increases the urgency for remediation [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
feehi/cmsPackagist | <= 2.1.1 | — |
Affected products
2- FeehiCMS/FeehiCMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- gitee.com/A0kooo/cve_article/blob/master/feehi_cms/file_upload3/Fichkems%20user%20file%20upload%20vulnerability.mdghsaexploitWEB
- github.com/advisories/GHSA-xp68-7g33-f49mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-8296ghsaADVISORY
- vuldb.comghsathird-party-advisoryWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.