Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible endpoint requires only low-privilege authentication; integrity impact is low (arbitrary file write); no confirmed confidentiality or availability impact; scope unchanged absent confirmed server-side execution.
Primary rating from Vendor (SEC-VLab).
CVSS VectorVendor: SEC-VLab
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains insufficient server-side file type validation in the /safe/contract/uploadcustomdocuments endpoint. The application validates uploaded files based on the user-controlled HTTP Content-Type value and accepts the upload if this value contains an allowed string such as pdf, jpeg, tiff, or png. An authenticated attacker with any role or permission level can spoof the Content-Type value and upload arbitrary file content.
AnalysisAI
Unrestricted file upload in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows any authenticated user, regardless of role or permission level, to bypass server-side file type controls at the /safe/contract/uploadcustomdocuments endpoint by spoofing the HTTP Content-Type header with a value containing allowed substrings such as 'pdf', 'jpeg', 'tiff', or 'png'. Because validation relies entirely on a client-supplied header rather than inspecting actual file content or magic bytes, arbitrary file content can be written to the server. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Technical ContextAI
The affected product is identified by CPE cpe:2.3:a:wertheim_gmbh:wertheim_safecontroller_software_for_vault_rooms_(safe_deposit_locker_system):*:*:*:*:*:*:*:*, which is physical safe-deposit locker management software by Wertheim GmbH. The vulnerability maps to CWE-434 (Unrestricted Upload of File with Dangerous Type), a class of flaw in which server logic trusts the client's declaration of content type rather than independently verifying it through file content inspection, magic byte analysis, or sandboxed processing. The validation at /safe/contract/uploadcustomdocuments performs only a substring presence check against the Content-Type request header - if the header value contains any of the strings 'pdf', 'jpeg', 'tiff', or 'png', the upload is accepted. This is trivially bypassed by crafting a Content-Type such as 'application/pdf+evil' or 'image/jpeg.php', which satisfies the check while delivering arbitrary payload content. The root cause is the absence of any server-side content inspection (e.g., libmagic, MIME sniffing of file bytes, or allowlist-based extension enforcement after file parsing).
RemediationAI
No vendor-released patch or fixed version has been identified in the available data at time of analysis. Organizations running Wertheim SafeController Software AssemblyVersion 6.15.8328.28014 should contact Wertheim GmbH directly referencing the SEC-VLab disclosure at https://r.sec-consult.com/wertheim to obtain patch status and availability. As a compensating control, restrict access to the /safe/contract/uploadcustomdocuments endpoint at the network or application firewall level to only explicitly trusted user segments, reducing the pool of authenticated users who can reach the endpoint (trade-off: may disrupt legitimate document upload workflows). Additionally, configure the web server to serve uploaded files from a directory that is not web-executable (e.g., outside the webroot or with execution disabled via server policy), which eliminates the most severe escalation path (code execution) even if arbitrary files can be written. Deploying a web application firewall rule to inspect Content-Type header values against a strict allowlist of exact MIME types (not substring matches) provides an additional detection layer. Audit existing uploaded files for unexpected types or executable content.
Authorization bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables low-privileged authen
Authenticated path traversal in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) - software used to ma
Cross-branch authorization bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows an authen
Path traversal in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables an authenticated user holdi
Unauthenticated file disclosure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) exposes unprotecte
Hard-coded cryptographic key exposure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables loca
IP restriction bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows an attacker holding v
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36710
GHSA-gr5m-9xq3-vhc7