CVE-2026-3187: Unrestricted Upload in feiyuchuixue sz-boot-parent
A vulnerability was identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this issue is some unknown functionality of the file /api/admin/sys-file/upload of the component API Endpoint. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 1.3.3-beta can resolve this issue. The name of the patch is aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is recommended. The project was informed beforehand and acted very professional: "We have introduced a whitelist restriction on the /api/admin/sys-file/upload endpoint via the oss.allowedExts and oss.allowedMimeTypes configuration options, allowing the specification of permitted file extensions and MIME types for uploads."
AI Analysis
Technical Summary
The vulnerability identified as CVE-2026-3187 affects the feiyuchuixue sz-boot-parent software, specifically versions up to 1.3.2-beta. The issue lies within the API endpoint /api/admin/sys-file/upload, which previously allowed unrestricted file uploads. This flaw enables an attacker with low privileges to remotely upload arbitrary files without proper validation of file types or MIME types. Such unrestricted upload capabilities can be exploited to upload malicious files, potentially leading to remote code execution, data tampering, or denial of service. The vulnerability does not require user interaction and can be exploited remotely, increasing its risk profile. The vendor addressed the issue in version 1.3.3-beta by implementing whitelist restrictions on file extensions and MIME types through configuration options oss.allowedExts and oss.allowedMimeTypes. The patch, identified by commit aefaabfd7527188bfba3c8c9eee17c316d094802, restricts uploads to only permitted file types, mitigating the risk of malicious file uploads. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting a medium severity level due to the combination of remote exploitability, low attack complexity, and limited scope of impact. No known exploits in the wild have been reported yet, but public exploit code is available, which increases the urgency for remediation.
Potential Impact
The unrestricted file upload vulnerability can have significant impacts on organizations using affected versions of sz-boot-parent. Attackers could upload malicious files such as web shells, scripts, or executables, leading to remote code execution, unauthorized access, data breaches, or service disruption. Confidentiality could be compromised by data exfiltration or unauthorized data modification. Integrity could be affected by tampering with application files or data. Availability could be impacted if attackers upload files that disrupt normal service operations or cause crashes. Since the vulnerability requires low privileges but no user interaction, it lowers the barrier for attackers to exploit. Organizations relying on this software for administrative or backend functions are particularly at risk. The presence of publicly available exploits increases the likelihood of attacks, especially in environments where patching is delayed. Overall, the vulnerability poses a moderate risk but can escalate to critical if combined with other weaknesses or misconfigurations.
Mitigation Recommendations
To mitigate CVE-2026-3187, organizations should immediately upgrade the feiyuchuixue sz-boot-parent component to version 1.3.3-beta or later, which contains the official patch. Beyond upgrading, administrators should configure the oss.allowedExts and oss.allowedMimeTypes options to strictly whitelist only necessary file extensions and MIME types, minimizing the attack surface. Implement additional server-side validation and scanning of uploaded files for malware or suspicious content. Employ network segmentation and access controls to limit exposure of the upload endpoint to trusted users or IP ranges. Monitor logs and alerts for unusual upload activity or attempts to upload disallowed file types. Consider deploying web application firewalls (WAFs) with rules tailored to detect and block malicious upload attempts. Regularly audit and review file upload functionality and permissions to ensure no unauthorized changes. Finally, maintain an incident response plan to quickly address any exploitation attempts.
Affected Countries
China, United States, India, Germany, Japan, South Korea, Brazil, Russia, United Kingdom, France
CVE-2026-3187: Unrestricted Upload in feiyuchuixue sz-boot-parent
Description
A vulnerability was identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this issue is some unknown functionality of the file /api/admin/sys-file/upload of the component API Endpoint. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 1.3.3-beta can resolve this issue. The name of the patch is aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is recommended. The project was informed beforehand and acted very professional: "We have introduced a whitelist restriction on the /api/admin/sys-file/upload endpoint via the oss.allowedExts and oss.allowedMimeTypes configuration options, allowing the specification of permitted file extensions and MIME types for uploads."
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability identified as CVE-2026-3187 affects the feiyuchuixue sz-boot-parent software, specifically versions up to 1.3.2-beta. The issue lies within the API endpoint /api/admin/sys-file/upload, which previously allowed unrestricted file uploads. This flaw enables an attacker with low privileges to remotely upload arbitrary files without proper validation of file types or MIME types. Such unrestricted upload capabilities can be exploited to upload malicious files, potentially leading to remote code execution, data tampering, or denial of service. The vulnerability does not require user interaction and can be exploited remotely, increasing its risk profile. The vendor addressed the issue in version 1.3.3-beta by implementing whitelist restrictions on file extensions and MIME types through configuration options oss.allowedExts and oss.allowedMimeTypes. The patch, identified by commit aefaabfd7527188bfba3c8c9eee17c316d094802, restricts uploads to only permitted file types, mitigating the risk of malicious file uploads. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting a medium severity level due to the combination of remote exploitability, low attack complexity, and limited scope of impact. No known exploits in the wild have been reported yet, but public exploit code is available, which increases the urgency for remediation.
Potential Impact
The unrestricted file upload vulnerability can have significant impacts on organizations using affected versions of sz-boot-parent. Attackers could upload malicious files such as web shells, scripts, or executables, leading to remote code execution, unauthorized access, data breaches, or service disruption. Confidentiality could be compromised by data exfiltration or unauthorized data modification. Integrity could be affected by tampering with application files or data. Availability could be impacted if attackers upload files that disrupt normal service operations or cause crashes. Since the vulnerability requires low privileges but no user interaction, it lowers the barrier for attackers to exploit. Organizations relying on this software for administrative or backend functions are particularly at risk. The presence of publicly available exploits increases the likelihood of attacks, especially in environments where patching is delayed. Overall, the vulnerability poses a moderate risk but can escalate to critical if combined with other weaknesses or misconfigurations.
Mitigation Recommendations
To mitigate CVE-2026-3187, organizations should immediately upgrade the feiyuchuixue sz-boot-parent component to version 1.3.3-beta or later, which contains the official patch. Beyond upgrading, administrators should configure the oss.allowedExts and oss.allowedMimeTypes options to strictly whitelist only necessary file extensions and MIME types, minimizing the attack surface. Implement additional server-side validation and scanning of uploaded files for malware or suspicious content. Employ network segmentation and access controls to limit exposure of the upload endpoint to trusted users or IP ranges. Monitor logs and alerts for unusual upload activity or attempts to upload disallowed file types. Consider deploying web application firewalls (WAFs) with rules tailored to detect and block malicious upload attempts. Regularly audit and review file upload functionality and permissions to ensure no unauthorized changes. Finally, maintain an incident response plan to quickly address any exploitation attempts.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-02-25T08:32:10.390Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 699f0a1db7ef31ef0b25eb10
Added to database: 2/25/2026, 2:41:33 PM
Last enriched: 3/4/2026, 8:37:43 PM
Last updated: 4/12/2026, 3:53:00 PM
Views: 73
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.