{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6573", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-18T19:47:53.569Z", "datePublished": "2026-04-19T12:45:14.558Z", "dateUpdated": "2026-04-19T12:45:14.558Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-19T12:45:14.558Z"}, "title": "PHPEMS Instant Exam Creation exams.master.php temppage server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "n/a", "product": "PHPEMS", "versions": [{"version": "11.0", "status": "affected"}], "cpes": ["cpe:2.3:a:phpems:phpems:*:*:*:*:*:*:*:*"], "modules": ["Instant Exam Creation Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in PHPEMS 11.0. This affects the function temppage of the file /app/exam/controller/exams.master.php of the component Instant Exam Creation Handler. The manipulation of the argument uploadfile results in server-side request forgery. The attack can be executed remotely. The exploit is now public and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-18T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-18T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-18T21:53:07.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "vulnplusbot (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/358207", "name": "VDB-358207 | PHPEMS Instant Exam Creation exams.master.php temppage server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358207/cti", "name": "VDB-358207 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/789990", "name": "Submit #789990 | PHPEMS 11.0 SSRF", "tags": ["third-party-advisory"]}, {"url": "https://vulnplus-note.wetolink.com/share/1QZ4NE0oTRIc", "tags": ["broken-link", "exploit"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in PHPEMS 11.0. This affects the function temppage of the file /app/exam/controller/exams.master.php of the component Instant Exam Creation Handler. The manipulation of the argument uploadfile results in server-side request forgery. The attack can be executed remotely. The exploit is now public and may be used."}], "id": "CVE-2026-6573", "lastModified": "2026-04-19T13:16:46.187", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-19T13:16:46.187", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/789990"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358207"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358207/cti"}, {"source": "cna@vuldb.com", "url": "https://vulnplus-note.wetolink.com/share/1QZ4NE0oTRIc"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "11.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "PHPEMS", "source": "cna", "vendor": "n/a"}, "product": "phpems", "vendor": "phpems"}], "analysis": {"en": {"generated_at": "2026-04-19T15:05:47.047473+00:00", "value": {"mitigation_remediation": ["If a vendor patch is not yet released, remove or disable the temppage endpoint from the PHPEMS application", "Configure a web\u2011application firewall to block or reject requests that contain the uploadfile parameter", "Implement outbound firewall rules to restrict the server\u2019s HTTP(S) traffic to a whitelist of trusted destinations and block access to internal IP ranges"], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Request Forgery (SSRF)"}, "threat_synthesis": {"affected_systems": "PHPEMS 11.0 is affected; the vulnerability resides in the Instant Exam Creation Handler component, specifically the temppage endpoint that processes the uploadfile argument.", "description_and_impact": "A flaw in PHPEMS version 11.0 occurs in the temppage function of the /app/exam/controller/exams.master.php file. The uploadfile parameter is not properly validated, allowing an attacker to supply arbitrary values that cause the application server to issue HTTP requests to any target URL. This Server\u2011Side Request Forgery can be triggered remotely, which enables a remote attacker to force the server to access external or internal resources.", "risk_and_exploitability": "The reported CVSS score of 5.3 places the issue in the medium severity range. EPSS data is not available, but the public availability of exploit code suggests that the flaw is likely to be used by threat actors. The attack can be carried out from outside the network because it only requires sending an HTTP request to the PHPEMS instance. Based on typical SSRF behavior, an attacker might be able to retrieve data from internal services if the server\u2019s outbound policy does not restrict access, or otherwise direct traffic to arbitrary destinations. The vulnerability is not listed in the CISA KEV catalog, yet its remote nature and public exploit code warrant prompt remediation."}}}}, "created": "2026-04-19T15:15:15.539476+00:00", "updated": "2026-04-19T15:15:15.656960+00:00", "vendors": ["phpems", "phpems$PRODUCT$phpems"]}