CVE-2020-28688

HIGH

Artworks Gallery 1.0 - Unauthenticated Arbitrary File Upload via Add Artwork

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-28688. PoCs published by Shahrukh Iqbal Mirza.

AI-analyzed exploit summary This exploit demonstrates an authenticated arbitrary file upload vulnerability in Artworks Gallery 1.0, allowing an attacker to upload a malicious PHP shell and achieve remote code execution (RCE). The PoC outlines steps to authenticate, navigate to the file upload section, and upload a shell to gain command execution.

Description

The add artwork functionality in ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL 1.0 allows remote attackers to upload arbitrary files.

Exploits (1)

exploitdb WORKING POC
by Shahrukh Iqbal Mirza · textwebappsmultiple
https://www.exploit-db.com/exploits/49166

This exploit demonstrates an authenticated arbitrary file upload vulnerability in Artworks Gallery 1.0, allowing an attacker to upload a malicious PHP shell and achieve remote code execution (RCE). The PoC outlines steps to authenticate, navigate to the file upload section, and upload a shell to gain command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Artworks Gallery 1.0
Auth required
Prerequisites: Valid user credentials or ability to sign up as an artist · Access to the file upload functionality
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://packetstormsecurity.com/files/160095/Artworks-Gallery-1.0-Shell-Upload.html

Scores

CVSS v3 8.8
EPSS 0.1189
EPSS Percentile 95.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
artworks_gallery_in_php\,_css\,_javascript\,_and_mysql_project/artworks_gallery_in_php\,_css\,_javascript\,_and_mysql 1.0
Published Nov 17, 2020
Tracked Since Feb 18, 2026