📄 Description (English)
A vulnerability was identified in jackying H-ui.admin up to 3.1. This affects an unknown function in the library /lib/webuploader/0.1.5/server/preview.php. The manipulation leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
🤖 AI Executive Summary
CVE-2025-15426 is a high-severity unrestricted file upload vulnerability in jackying H-ui.admin up to version 3.1, affecting the webuploader library's preview.php endpoint. This vulnerability allows remote attackers to upload arbitrary files without proper validation, potentially leading to remote code execution and system compromise. The exploit is publicly available, and the vendor has not provided patches or responses, making this a critical concern for organizations using this library.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 5, 2026 05:17
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations using H-ui.admin framework, particularly: (1) Government agencies and NCA-regulated entities using this framework for administrative portals; (2) Banking and financial institutions (SAMA-regulated) if this library is integrated into web applications; (3) Healthcare providers using this framework for patient management systems; (4) Telecommunications companies (STC, Mobily) if deployed in customer-facing portals; (5) Energy sector organizations (ARAMCO subsidiaries) using this for operational dashboards. The unrestricted upload capability could enable attackers to deploy malware, establish persistence, or exfiltrate sensitive data.
🏢 Affected Saudi Sectors
Government
Banking and Financial Services
Healthcare
Telecommunications
Energy
Education
E-commerce
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems using jackying H-ui.admin library version 3.1 or earlier through asset inventory and dependency scanning
2. Disable or restrict access to /lib/webuploader/0.1.5/server/preview.php endpoint immediately using WAF rules or network ACLs
3. Implement file upload restrictions at the application level: whitelist allowed file types, validate MIME types server-side, store uploads outside web root
4. Review upload directories for suspicious files uploaded after this CVE disclosure
PATCHING GUIDANCE:
1. Upgrade jackying H-ui.admin to version 3.2 or later (if available from vendor)
2. If vendor patch unavailable, implement compensating controls: disable webuploader functionality, replace with secure alternative library
3. Apply input validation: reject files with executable extensions (.php, .jsp, .asp, .exe, .sh)
COMPENSATING CONTROLS:
1. Deploy WAF rules to block POST requests to preview.php with file upload parameters
2. Implement strict file permissions: uploads directory should not be executable
3. Configure web server to prevent script execution in upload directories
4. Enable file integrity monitoring on upload directories
DETECTION RULES:
1. Monitor for POST requests to /lib/webuploader/0.1.5/server/preview.php
2. Alert on file uploads with executable extensions or suspicious MIME types
3. Track creation of new files in upload directories with timestamps after CVE disclosure
4. Monitor for HTTP 200 responses from preview.php followed by file access attempts
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تستخدم مكتبة jackying H-ui.admin الإصدار 3.1 أو أقدم من خلال مسح المخزون والتبعيات
2. تعطيل أو تقييد الوصول إلى نقطة النهاية /lib/webuploader/0.1.5/server/preview.php فوراً باستخدام قواعد WAF أو قوائم التحكم في الوصول
3. تطبيق قيود تحميل الملفات على مستوى التطبيق: قائمة بيضاء لأنواع الملفات المسموحة، التحقق من أنواع MIME على الخادم، تخزين التحميلات خارج جذر الويب
4. مراجعة دلائل التحميل للملفات المريبة المحملة بعد إفصاح CVE
إرشادات التصحيح:
1. ترقية jackying H-ui.admin إلى الإصدار 3.2 أو أحدث (إن توفر من البائع)
2. إذا لم يتوفر تصحيح البائع، تطبيق الضوابط البديلة: تعطيل وظيفة webuploader، استبدالها بمكتبة آمنة بديلة
3. تطبيق التحقق من الإدخال: رفض الملفات بامتدادات قابلة للتنفيذ
الضوابط البديلة:
1. نشر قواعد WAF لحجب طلبات POST إلى preview.php مع معاملات تحميل الملفات
2. تطبيق أذونات ملفات صارمة: دليل التحميلات لا يجب أن يكون قابلاً للتنفيذ
3. تكوين خادم الويب لمنع تنفيذ البرامج النصية في دلائل التحميل
4. تفعيل مراقبة سلامة الملفات على دلائل التحميل
قواعد الكشف:
1. مراقبة طلبات POST إلى /lib/webuploader/0.1.5/server/preview.php
2. التنبيه على تحميلات الملفات بامتدادات قابلة للتنفيذ أو أنواع MIME المريبة
3. تتبع إنشاء ملفات جديدة في دلائل التحميل بطوابع زمنية بعد إفصاح CVE
4. مراقبة استجابات HTTP 200 من preview.php متبوعة بمحاولات الوصول إلى الملفات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.2.1 - Secure development policy
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Asset Management
SAMA CSF PR.DS-6 - Data is protected from unauthorized access
SAMA CSF PR.IP-1 - Security policies and procedures are maintained
SAMA CSF DE.CM-8 - Malware detection tools are deployed
🟡 ISO 27001:2022
ISO 27001:2022 A.8.1.1 - Inventory of information and other assets
ISO 27001:2022 A.8.3.1 - Handling of removable media
ISO 27001:2022 A.12.2.1 - Secure development policy and procedures
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Ensure security patches are installed within one month
PCI DSS 6.5.8 - Improper access control (file upload vulnerabilities)
PCI DSS 11.2 - Run automated vulnerability scanning tools
🔗 References & Sources 5
🔗
🔗
🔗
🔗
🔗
https://github.com/TiKi-r/CVE-Report/blob/main/H-ui.admin%20RCE.md
cna@vuldb.com
https://github.com/TiKi-r/CVE-Report/blob/main/H-ui.admin%20RCE.md#4-proof-of-concept-poc
cna@vuldb.com
https://vuldb.com/?ctiid.339348
cna@vuldb.com
https://vuldb.com/?id.339348
cna@vuldb.com
https://vuldb.com/?submit.721457
cna@vuldb.com