{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-09T16:14:01.645","vulnerabilities":[{"cve":{"id":"CVE-2012-10049","sourceIdentifier":"disclosure@vulncheck.com","published":"2025-08-08T19:15:35.040","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"WebPageTest version 2.6 and earlier contains an arbitrary file upload vulnerability in the resultimage.php script. The application fails to validate or sanitize user-supplied input before saving uploaded files to a publicly accessible directory. This flaw allows remote attackers to upload and execute arbitrary PHP code, resulting in full remote code execution under the web server context."},{"lang":"es","value":"WebPageTest versión 2.6 y anteriores contienen una vulnerabilidad de carga de archivos arbitrarios en el script resultimage.php. La aplicación no valida ni depura la información proporcionada por el usuario antes de guardar los archivos subidos en un directorio de acceso público. Esta falla permite a atacantes remotos cargar y ejecutar código PHP arbitrario, lo que resulta en la ejecución completa del código remoto en el contexto del servidor web."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Secondary","description":[{"lang":"en","value":"CWE-434"}]}],"references":[{"url":"https://github.com/catchpoint/WebPageTest","source":"disclosure@vulncheck.com"},{"url":"https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/webpagetest_upload_exec.rb","source":"disclosure@vulncheck.com"},{"url":"https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=26148","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/19790","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/20173","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/webpagetest-arbitrary-php-file-upload-rce","source":"disclosure@vulncheck.com"},{"url":"https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/webpagetest_upload_exec.rb","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"},{"url":"https://www.exploit-db.com/exploits/19790","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"},{"url":"https://www.exploit-db.com/exploits/20173","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}]}