CVE-2026-4830 identifies an unrestricted file upload vulnerability in kalcaddle kodbox version 1.64, specifically within the Public Share Handler component's Add function located in app/controller/explorer/userShare.class.php. This vulnerability allows remote attackers to bypass any upload restrictions and upload arbitrary files to the server without requiring authentication or user interaction. The vulnerability arises from insufficient validation or sanitization of uploaded files in the public sharing feature, which is designed to allow users to share files externally. Due to the unrestricted nature of the upload, an attacker could potentially upload malicious scripts or executables, leading to remote code execution or further compromise of the affected system. However, the attack complexity is high, meaning exploitation requires advanced skills or specific conditions, and no known exploits have been observed in the wild to date. The CVSS 4.0 base score is 6.3 (medium severity), reflecting network attack vector, high attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. The vendor was contacted early but has not issued any response or patch, leaving users exposed. This vulnerability underscores the risks associated with improperly secured file upload functionalities in web applications, especially those enabling public sharing capabilities.

If exploited, this vulnerability could allow attackers to upload arbitrary files, including malicious scripts, to the affected kodbox server. This can lead to unauthorized remote code execution, data theft, or defacement, compromising the confidentiality, integrity, and availability of the system and its data. Organizations relying on kodbox 1.64 for file sharing may face data breaches or service disruptions. Although the complexity of exploitation is high and no active exploits are known, the lack of vendor response and patch increases the risk exposure. Attackers targeting organizations with publicly accessible kodbox instances could leverage this flaw to establish persistence or pivot within internal networks. The impact is particularly significant for organizations handling sensitive or regulated data, as unauthorized file uploads could bypass security controls and lead to compliance violations or reputational damage.

1. Immediately restrict or disable public sharing features in kodbox 1.64 until a patch or official fix is available. 2. Implement web application firewall (WAF) rules to detect and block suspicious file upload attempts targeting the vulnerable endpoint (app/controller/explorer/userShare.class.php). 3. Monitor server logs for unusual upload activity or unexpected file types being uploaded. 4. Employ strict file type validation and content inspection on all uploaded files at the network perimeter or proxy level as a temporary control. 5. Isolate kodbox servers from critical internal networks to limit potential lateral movement if compromise occurs. 6. Regularly back up data and ensure backups are offline or immutable to recover from potential attacks. 7. Engage with the vendor or community for updates and consider upgrading to newer, patched versions once available. 8. Conduct internal penetration testing focusing on file upload functionalities to identify similar weaknesses. These measures go beyond generic advice by focusing on immediate containment, detection, and network segmentation to reduce risk exposure in the absence of a vendor patch.