CVE-2026-2113 in tpadmin
Summary
by MITRE • 02/07/2026
A security vulnerability has been detected in yuan1994 tpadmin up to 1.3.12. This affects an unknown part in the library /public/static/admin/lib/webuploader/0.1.5/server/preview.php of the component WebUploader. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/05/2026
This vulnerability resides within the yuan1994 tpadmin content management system version 1.3.12 and earlier, specifically targeting the WebUploader library component located at /public/static/admin/lib/webuploader/0.1.5/server/preview.php. The flaw represents a critical deserialization vulnerability that allows remote attackers to execute arbitrary code on affected systems. The vulnerability stems from improper input validation and unsafe deserialization practices within the preview.php script, which processes file upload previews without adequate sanitization of user-supplied data. This creates a pathway for attackers to craft malicious serialized objects that, when processed by the vulnerable application, trigger unintended code execution. The issue is particularly concerning as it affects a component that handles file uploads and previews, making it accessible through standard web application interfaces.
The technical exploitation of this vulnerability follows a classic deserialization attack pattern where malicious input is passed to a deserialization function that processes serialized data without proper validation. The CWE-502 standard categorizes this as a "Deserialization of Untrusted Data" vulnerability, which directly enables remote code execution through object injection attacks. Attackers can leverage this weakness by crafting specially formatted serialized data that, when deserialized by the preview.php script, executes arbitrary commands on the target server. The vulnerability's remote exploitability means that attackers do not require physical access or local privileges to compromise affected systems. This aligns with ATT&CK technique T1059.007 for "Command and Scripting Interpreter: PowerShell" and T1566.001 for "Phishing: Spearphishing Attachment" as attackers may use this vulnerability to deliver malicious payloads through compromised file upload mechanisms.
The operational impact of this vulnerability extends beyond simple code execution to encompass full system compromise and data exfiltration capabilities. Organizations running unsupported versions of yuan1994 tpadmin face severe risks including unauthorized access to sensitive data, system infiltration, and potential lateral movement within network environments. The fact that this vulnerability has been publicly disclosed and has available exploits accelerates the risk profile significantly, as it transforms from a theoretical threat to an active attack vector. The vulnerability affects systems that are no longer supported by maintainers, meaning organizations cannot receive official patches or security updates, leaving them exposed to persistent threats. The affected WebUploader component specifically handles file preview functionality, making it a prime target for attackers seeking to establish persistent access through malicious file uploads. This vulnerability represents a critical weakness in the application's security architecture and demonstrates the dangers of using unsupported software components.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term security improvements. Organizations should immediately cease using unsupported versions of yuan1994 tpadmin and migrate to supported releases or alternative content management systems. The most effective immediate fix involves implementing proper input validation and sanitization mechanisms within the preview.php script to prevent deserialization of untrusted data. Security measures should include disabling file preview functionality for sensitive operations, implementing strict file type validation, and applying web application firewalls to monitor and filter suspicious requests. The ATT&CK framework suggests implementing defenses at multiple layers including network segmentation to limit lateral movement, endpoint detection and response solutions to monitor for suspicious deserialization patterns, and regular security assessments to identify similar vulnerabilities. Organizations should also consider implementing principle of least privilege access controls and regular security audits to prevent exploitation of similar weaknesses in other system components. Given the public availability of exploits, organizations must assume that attackers are actively targeting vulnerable systems and should prioritize immediate remediation over extended planning phases.