This vulnerability in SurveyJS allows attackers with at least low privileges to upload files of dangerous types without restriction. Such unrestricted file upload can enable attackers to execute arbitrary code, modify or delete data, and cause denial of service. The issue affects all versions up to and including 1.9.136. The CVSS 3.1 vector indicates network-based attack with low complexity and no user interaction, impacting confidentiality, integrity, and availability severely. No patch or vendor advisory is currently available to confirm remediation status.

Successful exploitation can lead to full system compromise, including unauthorized code execution, data breach, and service disruption. The critical CVSS score reflects the potential for severe impact on affected systems. Since the vulnerability allows dangerous file types to be uploaded without restriction, attackers can leverage this to deploy malicious payloads or disrupt service.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict file upload permissions, implement manual file type validation, or disable file uploads if possible to reduce risk. Monitor for updates from devsoftbaltic regarding patches or official mitigations.