CVE-2019-19634

CRITICAL

verot.net class.upload <2.0.4 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-19634. PoCs published by jra89.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2019-19634, demonstrating arbitrary file upload and remote code execution in class.upload.php <= 2.0.4 by bypassing the file extension blacklist and injecting PHP code into a valid image file.

Description

class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.

Exploits (1)

nomisec WORKING POC 36 stars
by jra89 · poc
https://github.com/jra89/CVE-2019-19634

This repository contains a functional exploit for CVE-2019-19634, demonstrating arbitrary file upload and remote code execution in class.upload.php <= 2.0.4 by bypassing the file extension blacklist and injecting PHP code into a valid image file.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: class.upload.php <= 2.0.4
No auth needed
Prerequisites: PHP and PHP-GD installed · Target system with vulnerable class.upload.php version
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.1495
EPSS Percentile 94.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (3)
getk2/k2 < 2.10.1
verot/class.upload.php 0Packagist
verot_project/verot < 1.0.3
Published Dec 17, 2019
Tracked Since Feb 18, 2026