EIP-2026-105478

PRE-CVE

Bilder Upload Script Datei Upload 1.09 - Arbitrary File Upload

Title source: legacy
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-105478. PoCs published by Mr.Benladen.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file upload vulnerability in Bilder Upload Script 1.09, allowing attackers to bypass file extension restrictions and upload malicious PHP scripts disguised as images. The PoC instructs users to upload a file with a double extension (e.g., evil.php.jpg) or manipulate the filename parameter to achieve remote code execution.

Description

Bilder Upload Script Datei Upload 1.09 - Arbitrary File Upload

Exploits (1)

exploitdb WORKING POC
by Mr.Benladen · textwebappsphp
https://www.exploit-db.com/exploits/14078

This exploit demonstrates an arbitrary file upload vulnerability in Bilder Upload Script 1.09, allowing attackers to bypass file extension restrictions and upload malicious PHP scripts disguised as images. The PoC instructs users to upload a file with a double extension (e.g., evil.php.jpg) or manipulate the filename parameter to achieve remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Bilder Upload Script 1.09
No auth needed
Prerequisites: Access to the upload.php endpoint · Ability to craft a malicious file with a double extension or manipulate the filename parameter
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve
Tracked Since Feb 18, 2026