CVE-2026-6573 Overview
CVE-2026-6573 is a Server-Side Request Forgery (SSRF) vulnerability in PHPEMS 11.0. The flaw resides in the temppage function of /app/exam/controller/exams.master.php, part of the Instant Exam Creation Handler component. Attackers can manipulate the uploadfile argument to coerce the server into issuing arbitrary outbound requests. The issue is classified under CWE-918 and is exploitable remotely with low privileges. Public exploit details have been disclosed, increasing the likelihood of opportunistic abuse against exposed PHPEMS deployments.
Critical Impact
Remote authenticated attackers can use the affected PHPEMS server as a proxy to reach internal network resources, cloud metadata services, or arbitrary external systems.
Affected Products
- PHPEMS 11.0
- Component: Instant Exam Creation Handler (/app/exam/controller/exams.master.php)
- Affected function: temppage
Discovery Timeline
- 2026-04-19 - CVE-2026-6573 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-6573
Vulnerability Analysis
The vulnerability exists in the temppage function within /app/exam/controller/exams.master.php. This function processes the uploadfile parameter without validating whether the supplied value points to a safe, expected resource. When a user-supplied URL is passed to the function, the server retrieves the resource on behalf of the attacker. This behavior matches the SSRF pattern described in CWE-918. According to the VulDB Vulnerability #358207 entry, exploitation requires only low privileges and no user interaction. The exploit is public, so defenders should assume attackers can reproduce it.
Root Cause
The root cause is missing validation of the uploadfile argument before it is consumed by a server-side fetch operation. PHPEMS does not enforce an allowlist of hosts or schemes, nor does it block private IP ranges and link-local addresses. As a result, any URL supplied through uploadfile is treated as trusted input by the Instant Exam Creation Handler.
Attack Vector
An authenticated user with low privileges sends a crafted request to the exam creation endpoint, setting uploadfile to a URL of their choice. The PHPEMS server then performs an outbound HTTP request to that URL from its own network position. Attackers commonly target internal services, including cloud metadata endpoints such as http://169.254.169.254/, internal admin panels, and databases that trust loopback or RFC 1918 traffic. Refer to the VulDB technical writeup and the VulnPlus Note Sharing reference for additional exploitation context.
Detection Methods for CVE-2026-6573
Indicators of Compromise
- Outbound HTTP requests originating from the PHPEMS web server process to internal IP ranges, cloud metadata addresses, or unexpected external hosts.
- Requests to /app/exam/controller/exams.master.php containing a uploadfile parameter that holds a URL value instead of a file path.
- Unusual access patterns to the temppage action from low-privileged user accounts.
Detection Strategies
- Inspect web server access logs for POST or GET requests targeting the exam controller with URL-formatted uploadfile values.
- Correlate PHP process network telemetry with web request logs to identify server-initiated fetches that follow user input.
- Alert on PHPEMS host connections to 169.254.169.254, loopback addresses, or RFC 1918 ranges not part of the application baseline.
Monitoring Recommendations
- Enable verbose logging of outbound HTTP requests made by the PHP runtime, including destination host and request initiator.
- Forward web application and host network telemetry to a centralized analytics platform to support cross-source correlation.
- Baseline normal PHPEMS network behavior and create detections for deviations, especially requests to cloud provider metadata services.
How to Mitigate CVE-2026-6573
Immediate Actions Required
- Restrict access to the PHPEMS administrative and exam creation interfaces to trusted networks only.
- Audit existing PHPEMS user accounts and remove unnecessary low-privileged accounts that can reach the vulnerable endpoint.
- Block egress traffic from the PHPEMS server to internal management ranges and cloud metadata endpoints at the network layer.
Patch Information
No vendor patch is referenced in the NVD entry at the time of publication. Monitor the VulDB entry for #358207 and PHPEMS project channels for an official fix. Until a patch is available, treat all PHPEMS 11.0 installations as exposed and apply the workarounds below.
Workarounds
- Place a reverse proxy or web application firewall in front of PHPEMS and block requests where uploadfile contains URL schemes such as http://, https://, file://, or gopher://.
- Configure the host firewall to deny outbound connections from the PHP worker to 169.254.169.254, 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 unless explicitly required.
- Disable or restrict the Instant Exam Creation Handler functionality if it is not in active use.
# Example egress restriction using iptables on the PHPEMS host
iptables -A OUTPUT -m owner --uid-owner www-data -d 169.254.169.254 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

