CVE-2026-4509 is a vulnerability identified in PbootCMS, a content management system, affecting all versions up to 3.2.12. The issue resides in the file upload component, specifically in the core/function/file.php file, where the argument 'black' is used to enforce a blacklist for file types or extensions. Due to incomplete or improper implementation of this blacklist, attackers can manipulate the 'black' argument to bypass restrictions and upload files that should otherwise be blocked. This can lead to the upload of malicious scripts or files, potentially enabling remote code execution, defacement, or other unauthorized actions on the server. The vulnerability is remotely exploitable without requiring user interaction and only requires low-level privileges, which may be present in some user roles or through other vulnerabilities. The CVSS 4.0 base score is 5.3, indicating a medium severity level, reflecting moderate impact on confidentiality, integrity, and availability. The vulnerability does not require special conditions such as user interaction or privileges beyond low-level access, making it easier to exploit in environments where such access is possible. Although no known exploits are currently active in the wild, the public release of exploit code increases the likelihood of exploitation attempts. The lack of official patches or updates at the time of reporting necessitates immediate attention from administrators to mitigate risks. This vulnerability highlights the critical importance of robust input validation and secure file upload mechanisms in web applications.

The primary impact of CVE-2026-4509 is the potential for unauthorized file uploads due to the incomplete blacklist in the file upload functionality of PbootCMS. Successful exploitation can lead to several adverse outcomes: attackers may upload malicious scripts, enabling remote code execution or webshell deployment, which compromises server confidentiality and integrity. This can result in data breaches, defacement, or pivoting to other internal systems. Availability may also be affected if attackers deploy denial-of-service payloads or disrupt normal CMS operations. Organizations relying on PbootCMS for website management, especially those with sensitive or critical data, face increased risk of compromise. The medium severity reflects that while exploitation is feasible without user interaction, it requires at least low privileges, limiting the scope somewhat. However, given the public availability of exploit code, opportunistic attackers may target vulnerable installations aggressively. The impact is particularly significant for organizations lacking timely patch management or compensating controls, potentially leading to reputational damage, regulatory penalties, and operational disruptions.

To mitigate CVE-2026-4509, organizations should first verify if they are running affected versions of PbootCMS (3.2.0 through 3.2.12). Since no official patches are currently linked, administrators should apply the following specific measures: 1) Implement strict server-side validation of uploaded files beyond relying solely on blacklists—use whitelisting of allowed file types and extensions. 2) Restrict file upload permissions to trusted users only and enforce the principle of least privilege. 3) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious file upload attempts targeting the vulnerable parameter. 4) Monitor file upload directories for unexpected or executable files and set appropriate filesystem permissions to prevent execution. 5) Disable or limit file upload features if not essential. 6) Regularly audit logs for anomalous upload activities. 7) Stay alert for official patches or updates from PbootCMS and apply them promptly once available. 8) Consider isolating the CMS environment or using containerization to limit potential damage from exploitation. These targeted mitigations go beyond generic advice by focusing on the specific vulnerability mechanism and operational controls to reduce risk until a patch is released.