Skip to main content

Rotaban CVE-2026-11839

| EUVDEUVD-2026-36249 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-11 TR-CERT GHSA-4r5w-3xv4-56jm
9.9
CVSS 3.1 · NVD
Share

Severity by source

Vendor (TR-CERT) PRIMARY
CRITICAL
qualitative
NVD
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable upload feature with any authenticated account (PR:L, AV:N, AC:L), no user interaction; uploaded web shell escapes app context (S:C) and yields full host CIA impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (TR-CERT).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 11, 2026 - 15:45 vuln.today

DescriptionNVD

Unrestricted upload of file with dangerous type vulnerability in Başarsoft Information Technologies Inc. Rotaban allows Upload a Web Shell to a Web Server.

This issue affects Rotaban: from V2026.06.002 before V2026.06.003.

AnalysisAI

Remote code execution in Başarsoft Rotaban versions V2026.06.002 through V2026.06.003 (exclusive) allows authenticated attackers to upload arbitrary files including web shells, leading to full server compromise. The flaw stems from missing validation of uploaded file types (CWE-434) and was reported by TR-CERT; no public exploit identified at time of analysis, but the CVSS 9.9 score and scope-change indicator make this a high-priority patch target for any Rotaban deployment.

Technical ContextAI

Rotaban is a GIS/mapping-related platform from Turkish vendor Başarsoft Information Technologies. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), where the application's file-upload handler fails to validate file extension, MIME type, or content against an allowlist before storing the file in a web-accessible directory. When the uploaded file is a server-executable script (PHP, ASPX, JSP, etc.), the web server will execute it on subsequent requests, giving the attacker a web shell. The CPE string cpe:2.3:a:başarsoft_information_technologies_inc.:rotaban:*:*:*:*:*:*:*:* confirms the vendor and product but does not narrow the version beyond what the description specifies.

RemediationAI

Vendor-released patch: V2026.06.003 - upgrade all Rotaban instances at or above V2026.06.002 to V2026.06.003 or later, following the TR-CERT bulletin at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0367. Until the upgrade is deployed, restrict access to the upload endpoint via network ACLs or a reverse-proxy rule so only trusted internal addresses can reach it (side effect: legitimate remote users will be blocked), disable or remove script execution permissions (e.g., remove ExecCGI, disable PHP/ASP handlers) on the upload storage directory so uploaded files cannot be invoked as code (side effect: any feature relying on executable content in that path breaks), and add a WAF rule that rejects multipart uploads whose filenames or content match server-executable extensions such as .php, .phtml, .jsp, .aspx, .ashx (side effect: false positives on legitimately named files). Rotate any credentials and review upload directories for existing web shells before declaring the system clean.

Share

CVE-2026-11839 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy