← back
CVE-2026-6573

PHPEMS Instant Exam Creation exams.master.php temppage server-side request forgery

CVSS 5.3 MEDIUMEPSS 0.3%CWE-918
A vulnerability was detected in PHPEMS 11.0. This affects the function temppage of the file /app/exam/controller/exams.master.php of the component Instant Exam Creation Handler. The manipulation of the argument uploadfile results in server-side request forgery. The attack can be executed remotely. The exploit is now public and may be used.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Affected products
n/a · PHPEMS
public PoCs found1
cve_referencevulnplus-note.wetolink.com/share/1QZ4NE0oTRIcunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://vuldb.com/submit/789990https://vuldb.com/vuln/358207https://vuldb.com/vuln/358207/ctihttps://vulnplus-note.wetolink.com/share/1QZ4NE0oTRIc