| Title | YZNCMS 2.1.5 SQL Injection |
|---|
| Description | YZNCMS v2.1.5 allows a super administrator to upload and install a local addon package when `APP_DEBUG=true`. The addon installation flow extracts attacker-controlled ZIP content and then enables the addon, copying addon asset files into a web-accessible directory under `public/assets/addons/<name>/`.
Because the upload flow does not restrict executable PHP content inside the addon package, a super administrator can upload an addon containing a PHP payload and obtain remote code execution.
Affected code paths:
- `app/admin/controller/Addon.php:273`
- `vendor/yzncms/think-addons/src/addons/Service.php:391`
- `vendor/yzncms/think-addons/src/addons/Service.php:584`
- `vendor/yzncms/think-addons/src/addons/Service.php:204`
- `vendor/yzncms/think-addons/src/addons/Service.php:870` |
|---|
| Source | ⚠️ https://github.com/0d000721999/evc1/issues/3 |
|---|
| User | 0d00 (UID 98238) |
|---|
| Submission | 05/23/2026 13:44 (27 days ago) |
|---|
| Moderation | 06/17/2026 14:50 (25 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 297637 [YZNCMS 2.0.1 Plugin Installation unrestricted upload] |
|---|
| Points | 0 |
|---|