{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/shiroiadmin--1.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-15488"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["shiroiAdmin \u003c 1.4"],"_cs_severities":["high"],"_cs_tags":["vulnerability","web","file-upload","remote-code-execution"],"_cs_type":"advisory","_cs_vendors":["hcr707305003"],"content_html":"\u003cp\u003eA high-severity vulnerability, identified as CVE-2026-15488, has been discovered in hcr707305003 shiroiAdmin versions 1.1 and 1.3. This flaw, residing in the \u003ccode\u003eFileController::upload\u003c/code\u003e function located within \u003ccode\u003eapp/common/controller/FileController.php\u003c/code\u003e, allows for unrestricted file uploads. Attackers can remotely exploit this vulnerability by manipulating the 'File' argument during an upload request, enabling them to bypass security checks and place arbitrary files, including web shells, onto the server. This can lead to remote code execution and full compromise of the affected system. A public exploit for this vulnerability exists, increasing the urgency for immediate patching. The vendor, hcr707305003, was contacted but did not respond to the disclosure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an internet-facing hcr707305003 shiroiAdmin 1.1 or 1.3 instance.\u003c/li\u003e\n\u003cli\u003eAttacker crafts an HTTP POST request targeting the \u003ccode\u003eFileController::upload\u003c/code\u003e function in \u003ccode\u003eapp/common/controller/FileController.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the 'File' argument within the request to include a malicious file, such as a web shell (e.g., \u003ccode\u003eshell.php\u003c/code\u003e, \u003ccode\u003ecmd.jsp\u003c/code\u003e, \u003ccode\u003emalware.asp\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eFileController::upload\u003c/code\u003e function processes the request without proper validation of the uploaded file's type or content.\u003c/li\u003e\n\u003cli\u003eThe malicious file (web shell) is successfully uploaded and stored on the web server in an accessible location.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a subsequent HTTP GET or POST request to access and execute the uploaded web shell.\u003c/li\u003e\n\u003cli\u003eThe web shell provides the attacker with arbitrary code execution capabilities on the underlying server.\u003c/li\u003e\n\u003cli\u003eAttacker leverages code execution for further compromise, such as data exfiltration, privilege escalation, or deploying additional malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-15488 leads to arbitrary code execution on the server hosting hcr707305003 shiroiAdmin. This allows attackers to gain full control over the compromised system, potentially enabling them to steal sensitive data, deface websites, install additional malware, establish persistence, or pivot to other systems within the network. Since a public exploit is available, any organization utilizing affected versions of shiroiAdmin is at critical risk of immediate and severe compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-15488 immediately by upgrading hcr707305003 shiroiAdmin to version 1.4 or higher.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-15488 Exploitation - Unrestricted File Upload\u0026quot; to your SIEM and monitor web server logs for suspicious POST requests to the \u003ccode\u003eFileController::upload\u003c/code\u003e endpoint with malicious file extensions.\u003c/li\u003e\n\u003cli\u003eEnsure web server logging is comprehensive, capturing HTTP method, URI stem, URI query, and response status codes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-12T09:18:26Z","date_published":"2026-07-12T09:18:26Z","id":"https://feed.craftedsignal.io/briefs/2026-07-shiroiadmin-unrestricted-upload/","summary":"A remote unrestricted file upload vulnerability (CVE-2026-15488) exists in hcr707305003 shiroiAdmin versions 1.1 and 1.3, allowing attackers to upload arbitrary files by manipulating the 'File' argument in FileController::upload, potentially leading to remote code execution.","title":"Unrestricted File Upload Vulnerability in hcr707305003 shiroiAdmin","url":"https://feed.craftedsignal.io/briefs/2026-07-shiroiadmin-unrestricted-upload/"}],"language":"en","title":"CraftedSignal Threat Feed - ShiroiAdmin \u003c 1.4","version":"https://jsonfeed.org/version/1.1"}