EUVD-2026-26393CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionNVD
An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations while chunked upload is enabled.
AnalysisAI
Path traversal in JeeSite 5.15.1 allows authenticated users with file upload permissions to write arbitrary files to any filesystem location during chunked uploads by manipulating the fileMd5 parameter in /a/file/upload. Attackers can bypass directory restrictions to plant webshells, modify configuration files, or overwrite executables with whitelisted extensions, achieving remote code execution and full system compromise. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Disable or restrict access to the /a/file/upload endpoint for all non-administrative users; audit recent file uploads via JeeSite logs for suspicious fileMd5 parameters or files written outside intended directories. Within 7 days: Inventory all JeeSite 5.15.1 deployments; assess feasibility of upgrading to patched version when available or migrating to alternative file management solutions. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today