CVE-2026-23697
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Vtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by uploading a .phar file containing arbitrary PHP code through the Documents module, bypassing the extension denylist in config.inc.php which omits the .phar extension. The uploaded file is stored with its original .phar extension under the web-accessible storage directory, and a misconfigured .htaccess using Apache 2.2 syntax is silently ignored on Apache 2.4 deployments, allowing unauthenticated HTTP requests to directly execute the uploaded PHP payload.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Vtiger | Vtiger CRM | 0 <= 8.3.0 | affected |
| Vtiger | Vtiger CRM | 8.4.0 | unaffected |
Weaknesses
- CWE-434: Unrestricted Upload of File with Dangerous Type
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
- https://jivasecurity.com/writeups/vtiger-rce-phar-upload-cve-2026-23697
- https://www.vtiger.com/
- https://www.vulncheck.com/advisories/vtiger-crm-authenticated-file-upload-rce-via-documents-module
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.