Back to overview

CVE-2026-23697

HIGH Exploitation: PoC
8.8
CVSS 3.1
Description
Vtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by uploading a .phar file containing arbitrary PHP code through the Documents module, bypassing the extension denylist in config.inc.php which omits the .phar extension. The uploaded file is stored with its original .phar extension under the web-accessible storage directory, and a misconfigured .htaccess using Apache 2.2 syntax is silently ignored on Apache 2.4 deployments, allowing unauthenticated HTTP requests to directly execute the uploaded PHP payload.

Metadata

CVE ID
CVE-2026-23697
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-01-14 22:02 UTC
Published
2026-07-07 16:17 UTC
Last updated
2026-07-07 17:31 UTC
Primary CWE
CWE-434
Unrestricted Upload of File with Dangerous Type
Vendor / Product
Vtiger / Vtiger CRM
Sources
cve.org  ·  NVD

Severity & Metrics

8.8 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
Vtiger Vtiger CRM 0 ≤ 8.3.0, 8.4.0
Weakness (CWE)
CWESourceDescription
CWE-434 cna Unrestricted Upload of File with Dangerous Type
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.8 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.7 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Back to overview