CVE-2012-10037

UNKNOWN 0.0

PhpTax pfilez Parameter Exec Remote Code Injection

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

PhpTax version 0.8 contains a remote code execution vulnerability in drawimage.php. The pfilez GET parameter is unsafely passed to the exec() function without sanitization. A remote attacker can inject arbitrary shell commands, leading to code execution under the web server's context. No authentication is required.

CWE	CWE-78
Vendor	phptax
Product	phptax
Published	Aug 11, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for phptax phptax

Be the first to know when new unknown vulnerabilities affecting phptax phptax are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

PhpTax / PhpTax

0.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/phptax_exec.rb exploit-db.com: https://www.exploit-db.com/exploits/21665 exploit-db.com: https://www.exploit-db.com/exploits/21833 sourceforge.net: https://sourceforge.net/projects/phptax/

Credits

Jean Pascal Pereira