A security vulnerability has been detected in yuan1994 tpadmin up to 1.3.12. This affects an unknown part in the library /public/static/admin/lib/webuploader/0.1.5/server/preview.php of the component WebUploader. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
PUBLISHED5.2CWE-502CWE-20unsupported-when-assigned
yuan1994 tpadmin WebUploader preview.php deserialization
Problem type
Affected products
yuan1994
tpadmin
1.3.0 - AFFECTED
1.3.1 - AFFECTED
1.3.2 - AFFECTED
1.3.3 - AFFECTED
1.3.4 - AFFECTED
1.3.5 - AFFECTED
1.3.6 - AFFECTED
1.3.7 - AFFECTED
1.3.8 - AFFECTED
1.3.9 - AFFECTED
1.3.10 - AFFECTED
1.3.11 - AFFECTED
1.3.12 - AFFECTED
References
VDB-344688 | yuan1994 tpadmin WebUploader preview.php deserialization
https://vuldb.com/?id.344688
VDB-344688 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/?ctiid.344688
Submit #746795 | https://github.com/yuan1994/tpadmin cms v1.3 RCE
https://vuldb.com/?submit.746795
github.com
https://github.com/sTy1H/CVE-Report/blob/main/Remote%20Code%20Execution%20Vulnerability%20in%20Tpadmin%20System.md
GitHub Security Advisories
GHSA-2pp3-pxpf-p8gg
A security vulnerability has been detected in yuan1994 tpadmin up to 1.3.12. This affects an...
https://github.com/advisories/GHSA-2pp3-pxpf-p8ggA security vulnerability has been detected in yuan1994 tpadmin up to 1.3.12. This affects an unknown part in the library /public/static/admin/lib/webuploader/0.1.5/server/preview.php of the component WebUploader. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-2113
github.com
https://github.com/sTy1H/CVE-Report/blob/main/Remote%20Code%20Execution%20Vulnerability%20in%20Tpadmin%20System.md
vuldb.com
https://vuldb.com/?ctiid.344688
vuldb.com
https://vuldb.com/?id.344688
vuldb.com
https://vuldb.com/?submit.746795
github.com
https://github.com/advisories/GHSA-2pp3-pxpf-p8gg
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-2113Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-2113",
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"dateUpdated": "2026-02-07T21:02:06.860Z",
"dateReserved": "2026-02-06T14:37:20.590Z",
"datePublished": "2026-02-07T21:02:06.860Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB",
"dateUpdated": "2026-02-07T21:02:06.860Z"
},
"title": "yuan1994 tpadmin WebUploader preview.php deserialization",
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in yuan1994 tpadmin up to 1.3.12. This affects an unknown part in the library /public/static/admin/lib/webuploader/0.1.5/server/preview.php of the component WebUploader. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer."
}
],
"affected": [
{
"vendor": "yuan1994",
"product": "tpadmin",
"modules": [
"WebUploader"
],
"versions": [
{
"version": "1.3.0",
"status": "affected"
},
{
"version": "1.3.1",
"status": "affected"
},
{
"version": "1.3.2",
"status": "affected"
},
{
"version": "1.3.3",
"status": "affected"
},
{
"version": "1.3.4",
"status": "affected"
},
{
"version": "1.3.5",
"status": "affected"
},
{
"version": "1.3.6",
"status": "affected"
},
{
"version": "1.3.7",
"status": "affected"
},
{
"version": "1.3.8",
"status": "affected"
},
{
"version": "1.3.9",
"status": "affected"
},
{
"version": "1.3.10",
"status": "affected"
},
{
"version": "1.3.11",
"status": "affected"
},
{
"version": "1.3.12",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Deserialization",
"cweId": "CWE-502",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "Improper Input Validation",
"cweId": "CWE-20",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://vuldb.com/?id.344688",
"name": "VDB-344688 | yuan1994 tpadmin WebUploader preview.php deserialization",
"tags": [
"vdb-entry"
]
},
{
"url": "https://vuldb.com/?ctiid.344688",
"name": "VDB-344688 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
]
},
{
"url": "https://vuldb.com/?submit.746795",
"name": "Submit #746795 | https://github.com/yuan1994/tpadmin cms v1.3 RCE",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://github.com/sTy1H/CVE-Report/blob/main/Remote%20Code%20Execution%20Vulnerability%20in%20Tpadmin%20System.md",
"tags": [
"exploit"
]
}
],
"metrics": [
{},
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"baseScore": 7.3,
"baseSeverity": "HIGH"
}
},
{
"cvssV3_0": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"baseScore": 7.3,
"baseSeverity": "HIGH"
}
},
{
"cvssV2_0": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"baseScore": 7.5
}
}
],
"timeline": [
{
"time": "2026-02-06T00:00:00.000Z",
"lang": "en",
"value": "Advisory disclosed"
},
{
"time": "2026-02-06T01:00:00.000Z",
"lang": "en",
"value": "VulDB entry created"
},
{
"time": "2026-02-06T15:42:34.000Z",
"lang": "en",
"value": "VulDB entry last update"
}
],
"credits": [
{
"lang": "en",
"value": "sT1TcH (VulDB User)",
"type": "reporter"
}
],
"tags": [
"unsupported-when-assigned"
]
}
}
}