CVE-2023-53922

CRITICAL

TinyWebGallery v2.5 - RCE

Title source: llm

Description

TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded system commands to execute arbitrary code on the server by accessing the uploaded file's URL.

Exploits (1)

exploitdb WORKING POC

by Mirabbas Ağalarov · textwebappsphp

https://www.exploit-db.com/exploits/51443

View Code ZIP pw:eip

References (3)

[Product] http://www.tinywebgallery.com/

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/51443

[Third Party Advisory, Exploit] https://www.vulncheck.com/advisories/tinywebgallery-remote-code-execution-via-unrestricted-file-upload

Scores

CVSS v3 9.8

EPSS 0.0231

EPSS Percentile 84.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (2)

tinywebgallery/tinywebgallery 2.5

TinyWebGallery/TinyWebGallery 2.5

Published Dec 17, 2025

Tracked Since Feb 18, 2026