CVE-2013-10038

UNKNOWN 0.0

FlashChat Arbitrary File Upload RCE

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An unauthenticated arbitrary file upload vulnerability exists in FlashChat versions 6.0.2 and 6.0.4 through 6.0.8. The upload.php endpoint fails to properly validate file types and authentication, allowing attackers to upload malicious PHP scripts. Once uploaded, these scripts can be executed remotely, resulting in arbitrary code execution as the web server user.

CWE	CWE-434
Vendor	tufat
Product	flashchat
Published	Jul 31, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for tufat flashchat

Be the first to know when new unknown vulnerabilities affecting tufat flashchat are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

TUFaT / FlashChat

6.0.2 6.0.4 ≤ 6.0.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/flashchat_upload_exec.rb exploit-db.com: https://www.exploit-db.com/exploits/28709 fortiguard.com: https://www.fortiguard.com/encyclopedia/ips/37342/flashchat-arbitrary-file-upload phpbb.com: https://www.phpbb.com/community/viewtopic.php?t=2627786 vulncheck.com: https://www.vulncheck.com/advisories/flashchat-arbitrary-file-upload-rce

Credits

x-hayben21