Vulnerability Name: jackying H-ui.admin up to 3.1 preview.php Unrestricted Upload Vulnerability ID: VDB-339348 CVE-2025-15426 GCVE-100-339348 CVSS Score: 6.9 Vulnerability Overview: This vulnerability is classified as severe and exists in an unknown function within the /library/webuploader/0.1.5/server/preview.php library of jackying H-ui.admin up to version 3.1, leading to unauthorized file upload. The vulnerability is named CVE-2025-15426. The attack can be executed remotely and there are available exploit programs. Although the vendor was notified early, no response has been received from the vendor. Detailed Information: The vulnerability affects an unknown function in the /library/webuploader/0.1.5/server/preview.php library, allowing operations on unknown inputs, which triggers an unauthorized upload vulnerability. The Common Weakness Enumeration (CWE) classifies this issue as CWE-434. The product permits attackers to upload or transfer dangerous file types that may be automatically processed within the product environment. This action will impact confidentiality, integrity, and availability. CVE Information: This vulnerability is tracked as CVE-2025-15426. It is considered easy to exploit and can be initiated remotely. Exploitation does not require any form of authentication. Technical details and public exploits are known. The MITRE ATT&CK project classifies the attack technique as T1608.002. Exploit Sharing Type: The exploit can be shared on github.com. It is declared as proof-of-concept. By searching for inurl:lib/webuploader/0.1.5/server/preview.php on Google, vulnerable targets can potentially be found.