Skip to main content

Harvard University IQSS Dataverse CVE-2026-1879

| EUVDEUVD-2026-17851 LOW
Improper Access Control (CWE-284)
2026-04-01 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
EUVD ID Assigned
Apr 01, 2026 - 10:22 euvd
EUVD-2026-17851
Analysis Generated
Apr 01, 2026 - 10:22 vuln.today
CVE Published
Apr 01, 2026 - 10:16 nvd
MEDIUM 5.3

DescriptionCVE.org

A vulnerability was detected in Harvard University IQSS Dataverse up to 6.8. This affects an unknown function of the file /ThemeAndWidgets.xhtml of the component Theme Customization. Performing a manipulation of the argument uploadLogo results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. Upgrading to version 6.10 mitigates this issue. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Unrestricted file upload in Harvard IQSS Dataverse versions up to 6.8 allows authenticated users to bypass theme customization controls via manipulation of the uploadLogo parameter in /ThemeAndWidgets.xhtml, enabling arbitrary file upload with low confidentiality, integrity, and availability impact. The vulnerability is publicly exploitable with proof-of-concept code available; CVSS 5.3 reflects the authenticated attack vector and limited scope, though the ease of exploitation (Attack Complexity Low, Exploitation proven) combined with public POC increases practical risk. Vendor released patched version 6.10 and responded swiftly to early disclosure.

Technical ContextAI

The vulnerability resides in Dataverse's Theme Customization component, specifically in the /ThemeAndWidgets.xhtml interface used for uploading custom logos. The underlying issue (CWE-284: Improper Access Control) stems from insufficient validation of the uploadLogo parameter, allowing authenticated users to circumvent intended restrictions on file upload operations. The flaw is leveraged via remote HTTP requests without elevated privileges (PR:L indicates login-level authentication), suggesting the component fails to properly enforce role-based or administrative controls on file upload functionality. This is a client-side manipulation attack against a server-side file handling mechanism that does not adequately validate source or destination of uploaded assets.

RemediationAI

Upgrade to IQSS Dataverse version 6.10 or later, which contains the vendor-released patch. The fix can be obtained from the official GitHub release at https://github.com/IQSS/dataverse/releases/tag/v6.10. Organizations unable to upgrade immediately should implement network-level access controls restricting access to /ThemeAndWidgets.xhtml to trusted administrative users only, and monitor upload logs for suspicious file uploads to theme directories. The vendor responded early and released the patched version quickly, indicating a professional remediation timeline. No workarounds are documented as sufficient alternatives to patching.

Share

CVE-2026-1879 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy