CVE-2012-10049

CRITICAL

WebPageTest < 2.6 - Remote Code Execution via Unrestricted File Upload in resultimage.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2012-10049. PoCs published by Metasploit, dun, dun, sinn3r, including Metasploit module exploits/multi/http/webpagetest_upload_exec.

AI-analyzed exploit summary This Metasploit module exploits an arbitrary PHP file upload vulnerability in WebPageTest v2.6 or older. It uploads a malicious PHP file via the resultimage.php endpoint and executes it to achieve remote code execution.

Description

WebPageTest version 2.6 and earlier contains an arbitrary file upload vulnerability in the resultimage.php script. The application fails to validate or sanitize user-supplied input before saving uploaded files to a publicly accessible directory. This flaw allows remote attackers to upload and execute arbitrary PHP code, resulting in full remote code execution under the web server context.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappsphp
https://www.exploit-db.com/exploits/20173

This Metasploit module exploits an arbitrary PHP file upload vulnerability in WebPageTest v2.6 or older. It uploads a malicious PHP file via the resultimage.php endpoint and executes it to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WebPageTest v2.6 or older
No auth needed
Prerequisites: Network access to the target WebPageTest instance · The target must have the vulnerable version installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by dun · textwebappsphp
https://www.exploit-db.com/exploits/19790

This exploit demonstrates multiple vulnerabilities in WebPagetest <= 2.6, including local file disclosure (LFD) and arbitrary file upload (AFU) via directory traversal and insecure file handling. The PoC provides clear examples of how to exploit these flaws to read sensitive files or upload malicious files.

Classification
Working Poc 100%
Attack Type
Info Leak | Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: WebPagetest <= 2.6
No auth needed
Prerequisites: Access to the target web application · Ability to send HTTP requests to the vulnerable endpoints
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by dun, sinn3r · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/webpagetest_upload_exec.rb

This Metasploit module exploits a file upload vulnerability in WebPageTest (CVE-2012-10049) by uploading a malicious PHP file to the server, leading to remote code execution. The exploit leverages the lack of file type verification in the resultimage.php endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WebPageTest v2.6 or older
No auth needed
Prerequisites: Network access to the target WebPageTest instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v4 9.3
EPSS 0.0106
EPSS Percentile 60.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
WPO Foundation/WebPageTest < 2.6
Published Aug 08, 2025
Tracked Since Feb 18, 2026