QwikSec

Security Database

CVE

CWE

Training

CVE-2012-10049

Published: Aug 8, 2025

Modified: May 15, 2026

PUBLISHED

Description

WebPageTest version 2.6 and earlier contains an arbitrary file upload vulnerability in the resultimage.php script. The application fails to validate or sanitize user-supplied input before saving uploaded files to a publicly accessible directory. This flaw allows remote attackers to upload and execute arbitrary PHP code, resulting in full remote code execution under the web server context.

Vendor	Product	Versions
WPO Foundation	WebPageTest	affected `0 - <= 2.6`

Weaknesses (CWE)

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/webpagetest_upload_exec.rb

exploit

https://www.exploit-db.com/exploits/19790

exploit

https://www.exploit-db.com/exploits/20173

exploit

https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=26148

third-party-advisory

https://github.com/catchpoint/WebPageTest

product

https://www.vulncheck.com/advisories/webpagetest-arbitrary-php-file-upload-rce

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.