CVE-2025-15426

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions jackying H-ui.admin versions up to 3.1

Description A flaw exists in jackying H-ui.admin that allows for unrestricted file uploads. This issue affects an unknown function within the /lib/webuploader/0.1.5/server/preview.php library. The attack can be carried out remotely. The exploit is publicly available. The vendor was contacted but did not respond.

Recommendations Versions prior to 3.1 should be updated. As a temporary workaround, consider restricting access to the /lib/webuploader/0.1.5/server/preview.php file to minimize the risk of exploitation.

Exploit

Fix

Unrestricted File Upload

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434CWE-284

Related Identifiers

CVE-2025-15426

Affected Products

H-Ui.Admin

Webuploader

CVE-2025-15426

Weakness Enumeration

Related Identifiers

Affected Products

References · 12