CVE-2026-6561
Medium
Low
Medium
High
Critical
4.7
CVSS Score
Vulnerability Description
A vulnerability was detected in EyouCMS up to 1.7.1. This issue affects the function edit_adminlogo of the file application/admin/controller/Index.php. Performing a manipulation of the argument filename results in unrestricted upload. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Attack Vector
N
Attack Complexity
L
Privileges Required
H
User Interaction
N
Scope
U
Confidentiality
L
Integrity
L
Availability
L
References & Resources
-
https://github.com/zzk6th/my-cve-notes/blob/main/EyouCMS%20Arbitrary%20File%20Copy%20Vulnerability%20in%20edit_adminlogo()%20Leading%20to%20Sensitive%20Information%20Disclosure.mdcna@vuldb.com
-
https://vuldb.com/submit/788038cna@vuldb.com
-
https://vuldb.com/vuln/358198cna@vuldb.com
-
https://vuldb.com/vuln/358198/cticna@vuldb.com
Severity Details
4.7
out of 10.0
Medium
Weakness Type (CWE)
CWE-284
Improper Access Control
- Description
- The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
- Typical Severity
- Medium
- Abstraction Level
- Pillar
Key Information
- Published Date
- April 19, 2026
