EIP-2026-111611

PRE-CVE

qdPM 7.0 - Arbitrary '.PHP' File Upload (Metasploit)

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-111611. PoCs published by Metasploit.

AI-analyzed exploit summary This Metasploit module exploits an arbitrary PHP file upload vulnerability in qdPM v7 via the user profile photo upload feature, allowing remote code execution. It supports both PHP and Linux payloads and requires valid credentials for authentication.

Description

qdPM 7.0 - Arbitrary '.PHP' File Upload (Metasploit)

Exploits (1)

exploitdb WORKING POC VERIFIED

by Metasploit · rubywebappsphp

https://www.exploit-db.com/exploits/21835

View Code ZIP pw:eip

This Metasploit module exploits an arbitrary PHP file upload vulnerability in qdPM v7 via the user profile photo upload feature, allowing remote code execution. It supports both PHP and Linux payloads and requires valid credentials for authentication.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: qdPM v7

Auth required

Prerequisites: Valid credentials for qdPM · Network access to the target

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026