CVE-2023-31903

CRITICAL

GuppY CMS 6.00.10 - Unrestricted File Upload and Remote Code Execution via PHP File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-31903. PoCs published by Chokri Hammedi.

AI-analyzed exploit summary This exploit demonstrates a Remote Code Execution (RCE) vulnerability in GuppY CMS v6.00.10 by authenticating as an administrator, uploading a malicious PHP shell, and executing arbitrary commands. The exploit uses cURL to handle authentication and file upload processes.

Description

GuppY CMS 6.00.10 is vulnerable to Unrestricted File Upload which allows remote attackers to execute arbitrary code by uploading a php file.

Exploits (1)

exploitdb WORKING POC

by Chokri Hammedi · textwebappsphp

https://www.exploit-db.com/exploits/51052

View Code ZIP pw:eip

This exploit demonstrates a Remote Code Execution (RCE) vulnerability in GuppY CMS v6.00.10 by authenticating as an administrator, uploading a malicious PHP shell, and executing arbitrary commands. The exploit uses cURL to handle authentication and file upload processes.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GuppY CMS v6.00.10

Auth required

Prerequisites: Valid administrator credentials · Access to the target's admin panel

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/blue0x1/GuppY-exploit-rce

Exploit, Third Party Advisory, VDB Entry

https://www.exploit-db.com/exploits/51052

Scores

CVSS v3 9.8

EPSS 0.0208

EPSS Percentile 79.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

freeguppy/guppy 6.00.10

Published May 17, 2023

Tracked Since Feb 18, 2026