CVE-2026-1879 is an unrestricted file upload vulnerability found in the Harvard University IQSS Dataverse software, versions 6.0 through 6.8. The flaw resides in the Theme Customization component, specifically within the /ThemeAndWidgets.xhtml file, where the uploadLogo argument is insufficiently validated. This allows an attacker with limited privileges to remotely upload arbitrary files to the server without restriction. Since the upload mechanism does not properly sanitize or restrict file types or content, malicious files such as web shells or scripts could be uploaded, enabling remote code execution or persistent defacement of the application. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS 4.0 score is 5.3 (medium), reflecting the moderate impact and ease of exploitation with limited privileges. The vendor responded promptly and released a fixed version 6.10 that mitigates the issue by enforcing proper validation and restrictions on file uploads. No known exploits in the wild have been reported yet, but public exploit code availability increases the likelihood of attacks. This vulnerability primarily affects organizations using IQSS Dataverse for research data management and sharing, which is widely used in academic and research institutions globally.

The unrestricted file upload vulnerability in IQSS Dataverse can have significant impacts on affected organizations. Attackers exploiting this flaw can upload malicious files, potentially leading to remote code execution, server compromise, data theft, or defacement of the web application. This undermines the confidentiality, integrity, and availability of the affected systems. Given that IQSS Dataverse is used to manage and share sensitive research data, exploitation could result in unauthorized data disclosure or manipulation, damaging institutional reputation and violating compliance requirements. The ease of remote exploitation without user interaction or elevated privileges increases the risk of automated or targeted attacks. While no active exploitation is currently reported, the public availability of exploit code could lead to rapid weaponization. Organizations relying on IQSS Dataverse should consider this a moderate risk that could escalate if left unpatched, especially in environments with sensitive or regulated data.

To mitigate CVE-2026-1879, organizations should immediately upgrade IQSS Dataverse to version 6.10 or later, where the vulnerability is fixed. Until the upgrade is applied, administrators should restrict access to the Theme Customization functionality to trusted users only and monitor upload activity for suspicious files. Implementing web application firewalls (WAFs) with rules to detect and block malicious file uploads can provide temporary protection. Additionally, server-side scanning of uploaded files for malware and enforcing strict file type and size restrictions can reduce risk. Regularly auditing logs for unusual upload patterns and conducting penetration testing focused on file upload mechanisms will help detect exploitation attempts. Organizations should also ensure that the underlying server environment follows the principle of least privilege to limit the impact of any successful exploit. Finally, maintaining timely patch management and monitoring threat intelligence feeds for emerging exploit activity related to this CVE is critical.