CVE-2012-10049
WebPageTest Arbitrary PHP File Upload RCE
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
WebPageTest version 2.6 and earlier contains an arbitrary file upload vulnerability in the resultimage.php script. The application fails to validate or sanitize user-supplied input before saving uploaded files to a publicly accessible directory. This flaw allows remote attackers to upload and execute arbitrary PHP code, resulting in full remote code execution under the web server context.
| CWE | CWE-434 |
| Vendor | wpo foundation |
| Product | webpagetest |
| Published | Aug 8, 2025 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for wpo foundation webpagetest
Be the first to know when new unknown vulnerabilities affecting wpo foundation webpagetest are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
WPO Foundation / WebPageTest
* โค 2.6
References
raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/webpagetest_upload_exec.rb exploit-db.com: https://www.exploit-db.com/exploits/19790 exploit-db.com: https://www.exploit-db.com/exploits/20173 broadcom.com: https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=26148 github.com: https://github.com/catchpoint/WebPageTest vulncheck.com: https://www.vulncheck.com/advisories/webpagetest-arbitrary-php-file-upload-rce
Credits
dun