CVE-2026-34735 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the HytaleModding wiki software version 1.2.0 and earlier. The root cause lies in the quickUpload() endpoint's flawed file validation process. While the endpoint uses PHP's finfo function to inspect the MIME type of uploaded files, ensuring the content matches allowed types, it separately constructs the stored filename using the client-supplied file extension obtained from getClientOriginalExtension(). This separation allows an attacker to craft a file whose content passes the MIME type check but whose extension is maliciously set to .php. Because the file is stored on a public disk and accessible via URL, an attacker can upload a PHP script and execute arbitrary server-side code remotely. This leads to a critical security breach, as the attacker can potentially take full control of the server hosting the wiki. The vulnerability requires no user interaction and no authentication, making it highly exploitable. At the time of disclosure, no official patches or fixes have been released. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. This vulnerability poses a significant risk to organizations using this software, especially those exposing the wiki to the internet.

The impact of CVE-2026-34735 is severe for organizations running vulnerable versions of the HytaleModding wiki. Successful exploitation allows remote attackers to upload and execute arbitrary PHP code on the server, leading to full compromise of the affected system. This can result in data theft, data manipulation, defacement of hosted content, deployment of malware or ransomware, lateral movement within the network, and disruption of services. Since the wiki is often used to host modding documentation, attackers could also manipulate content to distribute malicious instructions or files to users. The public accessibility of the uploaded files increases the risk of widespread exploitation. Organizations with sensitive or critical data on these servers face confidentiality and integrity breaches, while availability can be impacted by denial-of-service or destructive payloads. The lack of authentication and user interaction requirements further heightens the risk, making automated exploitation feasible. Overall, this vulnerability threatens the security posture of affected organizations and their users.

To mitigate CVE-2026-34735, organizations should implement the following specific measures: 1) Immediately restrict or disable file upload functionality on the HytaleModding wiki until a patch is available. 2) Implement server-side validation that enforces strict matching between MIME type and file extension, rejecting any mismatch or suspicious extensions such as .php. 3) Sanitize and normalize all client-supplied file extensions before storage, or better yet, assign safe, server-generated filenames without relying on client input. 4) Configure the web server to prevent execution of uploaded files in the upload directory, for example, by disabling PHP execution in that folder via .htaccess or server configuration. 5) Monitor upload directories for unexpected file types and remove any suspicious files immediately. 6) Employ web application firewalls (WAFs) to detect and block malicious upload attempts. 7) Maintain strict access controls and logging to detect exploitation attempts. 8) Stay alert for official patches or updates from the vendor and apply them promptly once available. 9) Conduct security audits and penetration tests focusing on file upload functionality to identify similar weaknesses. These targeted mitigations go beyond generic advice and address the specific technical flaw and exploitation vector.