phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
phpUploader versions before 2.0.2 suffer from a critical information disclosure flaw that exposes sensitive database contents to unauthenticated attackers. By simply visiting any application page, threat actors can retrieve the complete uploaded-files database table rendered as JSON in inline script blocks. This vulnerability compromises multiple data categories: uploader IP addresses (enabling reconnaissance), Argon2ID password hashes (enabling offline cracking attacks), internal filenames (revealing system architecture), and SHA-256 file fingerprints (enabling file correlation and targeting). Organizations using affected versions face immediate exposure of authentication credentials and system metadata without requiring any authentication or special access.
Casky's Claude-powered analysis engine maps this vulnerability to data exfiltration and reconnaissance patterns despite the absence of mapped MITRE ATT&CK techniques in the CVE record itself. Practitioners using Casky would identify the attack chain through skill detection of: (1) unauthenticated web access patterns indicating broken authentication controls, (2) information exposure detection flagging unbounded database queries in client-side contexts, (3) credential discovery indicators when hash artifacts appear in web responses, and (4) reconnaissance behavior when IP address enumeration becomes possible through database disclosure. Extended reasoning across Casky's 754 security skills would correlate CWE-359 (Privacy Violation) and CWE-497 (Exposure of System Data) with common attack prerequisites, enabling practitioners to detect exploitation attempts through anomalous database query volumes, unexpected JSON payloads in responses, and hash-dumping tool signatures.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-56124. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation