CVE-2026-6573 MEDIUM

CVE-2026-6573: PHPEMS Instant Exam Creation exams.master.php temppage server-side request forgery

Vendor N/A

Product PHPEMS

Weakness CWE-918 · SSRF

Published April 19, 2026

Last update April 20, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A vulnerability was detected in PHPEMS 11.0. This affects the function temppage of the file /app/exam/controller/exams.master.php of the component Instant Exam Creation Handler. The manipulation of the argument uploadfile results in server-side request forgery. The attack can be executed remotely. The exploit is now public and may be used.

Key dates

Disclosure timeline

April 19, 2026 CVE published

April 20, 2026 Record updated