CVE-2026-6835: CWE-434 Unrestricted upload of file with dangerous type in aEnrich a+HCM
The a+HCM developed by aEnrich has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload arbitrary files to any path, including HTML documents, which may result in a XSS-like effect.
AI Analysis
Technical Summary
The a+HCM application by aEnrich suffers from CWE-434, an unrestricted file upload vulnerability. This flaw permits unauthenticated attackers to upload arbitrary files to any location on the server, including potentially dangerous file types such as HTML. This can result in XSS-like impacts by enabling malicious content to be served from the application. The vulnerability is publicly documented with CVE-2026-6835 and has a CVSS 4.0 score of 5.1, indicating medium severity. No patch or official remediation level has been disclosed by the vendor, and the product is not a cloud service.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to upload arbitrary files to any path within the affected system. This can lead to the execution of malicious scripts or content, resulting in cross-site scripting (XSS)-like effects. The impact is rated medium severity based on the CVSS score of 5.1. There are no reports of active exploitation in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict or monitor file upload functionality and implement compensating controls such as input validation and file type restrictions where possible. Avoid exposing the vulnerable upload interface to untrusted users.
CVE-2026-6835: CWE-434 Unrestricted upload of file with dangerous type in aEnrich a+HCM
Description
The a+HCM developed by aEnrich has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload arbitrary files to any path, including HTML documents, which may result in a XSS-like effect.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The a+HCM application by aEnrich suffers from CWE-434, an unrestricted file upload vulnerability. This flaw permits unauthenticated attackers to upload arbitrary files to any location on the server, including potentially dangerous file types such as HTML. This can result in XSS-like impacts by enabling malicious content to be served from the application. The vulnerability is publicly documented with CVE-2026-6835 and has a CVSS 4.0 score of 5.1, indicating medium severity. No patch or official remediation level has been disclosed by the vendor, and the product is not a cloud service.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to upload arbitrary files to any path within the affected system. This can lead to the execution of malicious scripts or content, resulting in cross-site scripting (XSS)-like effects. The impact is rated medium severity based on the CVSS score of 5.1. There are no reports of active exploitation in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict or monitor file upload functionality and implement compensating controls such as input validation and file type restrictions where possible. Avoid exposing the vulnerable upload interface to untrusted users.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- twcert
- Date Reserved
- 2026-04-22T02:48:35.815Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8480219fe3cd2cd4cd5b1
Added to database: 4/22/2026, 4:01:06 AM
Last enriched: 4/22/2026, 4:16:15 AM
Last updated: 4/22/2026, 6:52:58 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.