CVE-2026-3187 is a vulnerability in the feiyuchuixue sz-boot-parent project, specifically affecting versions up to 1.3.2-beta. The flaw exists in the API endpoint /api/admin/sys-file/upload, which lacks adequate restrictions on file uploads, allowing attackers to upload arbitrary files without proper validation. This unrestricted upload can be exploited remotely without authentication or user interaction, enabling attackers to potentially upload malicious files such as web shells or malware. The vulnerability impacts confidentiality, integrity, and availability by allowing unauthorized file placement that could lead to code execution, data leakage, or service disruption. The vendor addressed the issue in version 1.3.3-beta by implementing whitelist restrictions on file extensions and MIME types through configuration options oss.allowedExts and oss.allowedMimeTypes. The patch is identified by commit aefaabfd7527188bfba3c8c9eee17c316d094802. Although a public exploit exists, no known widespread exploitation has been reported. The vulnerability has a CVSS 4.0 score of 5.3, reflecting medium severity due to ease of exploitation but limited scope and impact. Organizations using the affected component, especially in administrative contexts, should upgrade and configure strict upload restrictions to prevent exploitation.

The unrestricted upload vulnerability can lead to significant security risks for organizations using the feiyuchuixue sz-boot-parent software. Attackers could upload malicious files such as web shells, ransomware, or other malware, potentially resulting in unauthorized remote code execution, data breaches, or service outages. This compromises confidentiality by exposing sensitive data, integrity by allowing unauthorized modifications, and availability by enabling denial-of-service conditions. Since the vulnerability requires no user interaction and can be exploited remotely, it increases the attack surface considerably. Organizations with exposed administrative upload endpoints are particularly vulnerable. The presence of a public exploit increases the likelihood of opportunistic attacks. While the vulnerability is medium severity, the potential for lateral movement and further compromise in enterprise environments elevates the risk. Failure to patch could lead to regulatory compliance issues and reputational damage if exploited.

1. Upgrade the feiyuchuixue sz-boot-parent component to version 1.3.3-beta or later, which includes the official patch restricting file uploads. 2. Configure the oss.allowedExts and oss.allowedMimeTypes options to enforce strict whitelisting of permitted file types, minimizing the risk of malicious uploads. 3. Implement additional server-side validation and scanning of uploaded files using antivirus and malware detection tools. 4. Restrict access to the /api/admin/sys-file/upload endpoint to trusted administrators and internal networks via network segmentation and firewall rules. 5. Monitor logs for unusual upload activity or attempts to upload disallowed file types. 6. Employ web application firewalls (WAFs) with rules tuned to detect and block suspicious upload patterns. 7. Conduct regular security assessments and penetration testing focused on file upload functionalities. 8. Educate developers and administrators on secure file handling best practices to prevent similar issues in future development cycles.