Vulnerabilities ›

CVE-2026-10172

Medium

CWE-284 — Weakness Type

                    Published: May 31, 2026                      ·  Modified: Jun 3, 2026                      ·  Source: NVD                

CVSS v3

6.3

🔗 NVD Official

📄 Description (English)

A security flaw has been discovered in Bdtask Multi-Store Inventory Management System 1.0. The affected element is the function Upload of the file application/modules/dashboard/controllers/Module.php of the component Component Module. The manipulation of the argument module results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.

🤖 AI Executive Summary

CVE-2026-10172 is a medium-severity unrestricted file upload vulnerability in Bdtask Multi-Store Inventory Management System 1.0 that allows remote attackers to upload arbitrary files through the Module component. The vulnerability exists in the Upload function with improper access controls (CWE-284), potentially enabling malware deployment, system compromise, or data exfiltration. With public exploit availability and no patch currently available, immediate mitigation is critical for affected organizations.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 31, 2026 13:00

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi retail and e-commerce organizations using Bdtask Multi-Store Inventory Management System. Most at-risk sectors include: (1) Retail & E-commerce companies managing multi-store operations, (2) Small-to-medium enterprises (SMEs) in distribution and wholesale, (3) Government procurement entities using inventory management systems, (4) Healthcare facilities managing medical supply inventories. The unrestricted file upload capability could enable attackers to deploy ransomware, steal customer data, compromise payment processing systems, or disrupt critical supply chain operations. Organizations subject to SAMA regulations (if handling financial transactions) or NCA compliance requirements face additional regulatory exposure.

🏢 Affected Saudi Sectors

Retail & E-commerce Small-to-Medium Enterprises (SMEs) Government & Public Sector Healthcare & Pharmaceuticals Wholesale & Distribution Logistics & Supply Chain

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1199 - Trusted Relationship T1566 - Phishing T1105 - Ingress Tool Transfer T1059 - Command and Scripting Interpreter T1486 - Data Encrypted for Impact T1565 - Data Manipulation

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all instances of Bdtask Multi-Store Inventory Management System 1.0 in your environment and isolate affected systems from production networks if possible

2. Restrict network access to the Module upload function using firewall rules - block external access to /application/modules/dashboard/controllers/Module.php

3. Implement Web Application Firewall (WAF) rules to block POST requests to the vulnerable upload endpoint

4. Review upload directories for suspicious files uploaded after system deployment

COMPENSATING CONTROLS (until patch available):

5. Implement strict file upload validation at the application level - whitelist only required file types and enforce file extension checks

6. Configure web server to prevent execution of uploaded files (disable script execution in upload directories via .htaccess or web.config)

7. Implement file integrity monitoring on upload directories to detect unauthorized file additions

8. Enable comprehensive logging and monitoring of all upload activities

9. Restrict file upload functionality to authenticated users only with role-based access controls

10. Store uploaded files outside the web root directory

DETECTION RULES:

- Monitor for POST requests to /application/modules/dashboard/controllers/Module.php with 'module' parameter

- Alert on file uploads with executable extensions (.php, .exe, .sh, .jsp, .asp) to upload directories

- Track failed authentication attempts followed by upload attempts

- Monitor for unusual file access patterns in upload directories

PATCHING:

11. Contact Bdtask vendor for security updates or consider migration to patched version when available

12. Subscribe to vendor security advisories for patch release notifications

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع حالات نظام إدارة المخزون متعدد المتاجر من Bdtask الإصدار 1.0 في بيئتك وعزل الأنظمة المتأثرة عن شبكات الإنتاج إن أمكن

2. قيد الوصول إلى شبكة دالة التحميل في Module باستخدام قواعد جدار الحماية - احجب الوصول الخارجي إلى /application/modules/dashboard/controllers/Module.php

3. طبق قواعد جدار تطبيقات الويب (WAF) لحجب طلبات POST إلى نقطة النهاية المعرضة للخطر

4. راجع دلائل التحميل بحثاً عن ملفات مريبة تم تحميلها بعد نشر النظام



الضوابط البديلة (حتى توفر التصحيح):

5. طبق التحقق الصارم من تحميل الملفات على مستوى التطبيق - قائمة بيضاء لأنواع الملفات المطلوبة فقط وفرض فحوصات امتداد الملفات

6. قم بتكوين خادم الويب لمنع تنفيذ الملفات المحملة (تعطيل تنفيذ البرامج النصية في دلائل التحميل عبر .htaccess أو web.config)

7. طبق مراقبة سلامة الملفات على دلائل التحميل للكشف عن إضافات الملفات غير المصرح بها

8. فعّل تسجيل شامل ومراقبة جميع أنشطة التحميل

9. قيد وظيفة تحميل الملفات للمستخدمين المصرح لهم فقط مع عناصر تحكم الوصول القائمة على الأدوار

10. قم بتخزين الملفات المحملة خارج دليل جذر الويب



قواعد الكشف:

- راقب طلبات POST إلى /application/modules/dashboard/controllers/Module.php مع معامل 'module'

- تنبيه عند تحميل الملفات بامتدادات قابلة للتنفيذ (.php, .exe, .sh, .jsp, .asp) إلى دلائل التحميل

- تتبع محاولات المصادقة الفاشلة متبوعة بمحاولات التحميل

- راقب أنماط الوصول غير العادية للملفات في دلائل التحميل



التصحيح:

11. اتصل بمورد Bdtask للحصول على تحديثات الأمان أو فكر في الترحيل إلى نسخة معدلة عند توفرها

12. اشترك في إشعارات أمان المورد لإخطارات إصدار التصحيح

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.14.2.1 - Information security requirements for supplier relationships ECC 2024 A.14.2.5 - Addressing information security in supplier agreements ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.12.2.1 - Secure development policy

🔵 SAMA CSF

SAMA CSF ID.BE-1 - Business objectives and strategies SAMA CSF PR.AC-1 - Access control policy and procedures SAMA CSF PR.DS-1 - Data security policy SAMA CSF DE.CM-1 - Detection and analysis

🟡 ISO 27001:2022

ISO 27001:2022 A.5.23 - Information security for supplier relationships ISO 27001:2022 A.8.1 - Organizational controls ISO 27001:2022 A.8.3 - Segregation of duties ISO 27001:2022 A.14.2 - Supplier security

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates PCI DSS 6.5.8 - Improper access control PCI DSS 11.2 - Vulnerability scanning

🔗 References & Sources 5

🔗

https://github.com/kevin57545/CVE/blob/main/bdtask-multi-store-rce.md

cna@vuldb.com

🔗

https://vuldb.com/cve/CVE-2026-10172

cna@vuldb.com

🔗

https://vuldb.com/submit/819418

cna@vuldb.com

🔗

https://vuldb.com/vuln/367429

cna@vuldb.com

🔗

https://vuldb.com/vuln/367429/cti

cna@vuldb.com

📊 CVSS Score

6.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score6.3

CWECWE-284

EPSS0.04%

Exploit No

Patch ✗ No

Published 2026-05-31

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-284

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-10172

Introduce Yourself

Sign In Required