CVE-2025-15426

HIGH

H-ui.admin <3.1 - Unrestricted Upload

Title source: llm

Description

A vulnerability was identified in jackying H-ui.admin up to 3.1. This affects an unknown function in the library /lib/webuploader/0.1.5/server/preview.php. The manipulation leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (5)

Core 5

Core References

Permissions Required, VDB Entry vdb-entry

https://vuldb.com/?id.339348

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.339348

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/?submit.721457

Various Sources related

https://github.com/TiKi-r/CVE-Report/blob/main/H-ui.admin%20RCE.md

View Writeup ZIP pw:eip

Various Sources exploit

https://github.com/TiKi-r/CVE-Report/blob/main/H-ui.admin%20RCE.md#4-proof-of-concept-poc

View Writeup ZIP pw:eip

Scores

CVSS v3 7.3

EPSS 0.0042

EPSS Percentile 33.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-284 CWE-434

Status published

Products (2)

jackying/H-ui.admin 3.0

jackying/H-ui.admin 3.1

Published Jan 02, 2026

Tracked Since Feb 18, 2026