CVE-2023-53922

CRITICAL

TinyWebGallery 2.5 - Unauthenticated Remote Code Execution via Malicious PHAR File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53922. PoCs published by Mirabbas Ağalarov.

AI-analyzed exploit summary This exploit demonstrates a file upload vulnerability in TinyWebGallery v2.5, allowing an attacker to upload a malicious .phar file containing PHP code for remote command execution. The PoC includes a multipart/form-data request to bypass restrictions and execute arbitrary commands.

Description

TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded system commands to execute arbitrary code on the server by accessing the uploaded file's URL.

Exploits (1)

exploitdb WORKING POC

by Mirabbas Ağalarov · textwebappsphp

https://www.exploit-db.com/exploits/51443

View Code ZIP pw:eip

This exploit demonstrates a file upload vulnerability in TinyWebGallery v2.5, allowing an attacker to upload a malicious .phar file containing PHP code for remote command execution. The PoC includes a multipart/form-data request to bypass restrictions and execute arbitrary commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: TinyWebGallery v2.5

Auth required

Prerequisites: Access to the admin upload interface · Valid session cookie (PHPSESSID)

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1204 - User Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry exploit

https://www.exploit-db.com/exploits/51443

Product product

http://www.tinywebgallery.com/

Third Party Advisory, Exploit third-party-advisory

https://www.vulncheck.com/advisories/tinywebgallery-remote-code-execution-via-unrestricted-file-upload

Scores

CVSS v3 9.8

EPSS 0.0093

EPSS Percentile 55.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (2)

tinywebgallery/tinywebgallery 2.5

TinyWebGallery/TinyWebGallery 2.5

Published Dec 17, 2025

Tracked Since Feb 18, 2026