CVE-2019-19576

CRITICAL

verot.net class.upload <2.0.4 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-19576. PoCs published by Jinny Ramsmark, jra89.

AI-analyzed exploit summary This exploit generates a malicious JPEG file with embedded PHP code to achieve Remote Code Execution (RCE) in Verot class.upload.php versions <=2.0.3. It injects a PHP payload into the JPEG file's end-of-file marker, bypassing image validation checks.

Description

class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.

Exploits (2)

exploitdb WORKING POC

by Jinny Ramsmark · phpwebappsphp

https://www.exploit-db.com/exploits/47749

View Code ZIP pw:eip

This exploit generates a malicious JPEG file with embedded PHP code to achieve Remote Code Execution (RCE) in Verot class.upload.php versions <=2.0.3. It injects a PHP payload into the JPEG file's end-of-file marker, bypassing image validation checks.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Verot class.upload.php <=2.0.3

No auth needed

Prerequisites: PHP with GD library installed · Target application using vulnerable Verot class.upload.php · Ability to upload files to the target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 12 stars

by jra89 · poc

https://github.com/jra89/CVE-2019-19576

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-19576, demonstrating arbitrary file upload and remote code execution in class.upload.php <= 2.0.3 via a phar extension bypass and image payload injection.