CVE-2026-2113

HIGH

yuan1994 tpadmin <1.3.12 - Deserialization

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-2113. PoCs published by XiaomingX, MaxMnMl.

AI-analyzed exploit summary The repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction logic for admin credentials and password hashes.

Description

A security vulnerability has been detected in yuan1994 tpadmin up to 1.3.12. This affects an unknown part in the library /public/static/admin/lib/webuploader/0.1.5/server/preview.php of the component WebUploader. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-2113

View Code ZIP pw:eip

The repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction logic for admin credentials and password hashes.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Quiz Maker <= 6.7.0.56

No auth needed

Prerequisites: target WordPress URL · path to quiz page · vulnerable header (default: X-Forwarded-For)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by MaxMnMl · poc

https://github.com/MaxMnMl/tpadmin-CVE-2026-2113-poc

View Code ZIP pw:eip

This PoC demonstrates a Remote Code Execution (RCE) vulnerability in H-ui.admin system's WebUploader preview component via arbitrary file upload. The exploit leverages a lack of authentication and file validation in `/public/static/admin/lib/webuploader/0.1.5/server/preview.php` to upload a malicious PHP file.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: tpadmin up to version 1.3.12

No auth needed

Prerequisites: Access to the target server's WebUploader preview endpoint

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1204 - User Execution T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Permissions Required, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.344688

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.344688

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/?submit.746795

Various Sources exploit

https://github.com/sTy1H/CVE-Report/blob/main/Remote%20Code%20Execution%20Vulnerability%20in%20Tpadmin%20System.md

View Writeup ZIP pw:eip

Scores

CVSS v3 7.3

EPSS 0.0055

EPSS Percentile 41.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-20 CWE-434 CWE-502

Status published

Products (1)

tpadmin_project/tpadmin < 1.3.12

Published Feb 07, 2026

Tracked Since Feb 18, 2026