CVE-2023-53922 CRITICAL

CVE-2023-53922: TinyWebGallery v2.5 Remote Code Execution via Unrestricted File Upload

Vendor Tinywebgallery
Product TinyWebGallery
Weakness CWE-434 · Unrestricted file upload
Published December 17, 2025
Last update April 7, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded system commands to execute arbitrary code on the server by accessing the uploaded file's URL.

Key dates

02Disclosure timeline

December 17, 2025 CVE published
April 7, 2026 Record updated