CVE-2026-8133 — AI Deep Analysis Summary

🚨 **Nature**: `admin.php` parameter order manipulation → **SQL Injection** 💥 **Consequence**: Remote attackers can read/modify the database 📉 Causing information leakage or damage

🔍 **Root Cause**: Parameter order manipulation ⚠️ Suspected **CWE-89**: SQL Injection 📌 Vulnerability Point: Unknown function in `dzz/shares/admin.php`

🎯 **Affected Versions**: zyx0814 FilePress ≤ **2.2.0** 🧩 **Affected Component**: Shares Filelist API ➡️ `admin.php`

👤 **Privileges**: No login required 🚪 🗃️ **Accessible Data**: Database content 📉 Risk: Data theft, tampering, or destruction

✅ **Low Exploitation Threshold** 🌐 **Remote** ✔️ 🔓 **No Authentication Required** (PR:N / UI:N) ⚙️ Triggerable with default configuration

🧨 **Existing Exploit Available**! 📂 PoC on GitHub 🔗 `Web-Security-Research/FilePress/Shares-API-PreAuth-SQLi` 📢 Exploitation code is publicly available 🚨

🔎 **Self-Check Method**: - Check if using FilePress ≤ 2.2.0 ❗ - Locate `dzz/shares/admin.php` 📁 - Search for unfiltered parameter concatenation 🧵 - Test for abnormal responses using known requests 🧪

🛡️ **Officially Patched** ✅ 📌 Patch Hash: `e20ec58414103f781858f2951d178e19b1736664` 🔗 GitHub commit & PR published 🔧

⚠️ **Before Patching**: - Restrict access to `admin.php` 🚧 IP whitelist - Disable Shares Filelist API ❌ - Use Web Application Firewall to block suspicious parameters 🧱

🔥 **High Priority**! 📈 CVSS: **6.3** (L/L/L) 📢 Easy to exploit + Public Exploit ➕ Remote Unauthenticated 💡 Recommendation: Apply patch immediately or implement temporary protection 🚨