Skip to main content

CVE-2026-36760

| EUVDEUVD-2026-26393 CRITICAL
Path Traversal (CWE-22)
2026-04-30 cve@mitre.org
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 30, 2026 - 19:30 vuln.today
CVSS changed
Apr 30, 2026 - 18:22 NVD
9.6 (CRITICAL)
EUVD ID Assigned
Apr 30, 2026 - 17:22 euvd
EUVD-2026-26393
Analysis Generated
Apr 30, 2026 - 17:22 vuln.today
CVE Published
Apr 30, 2026 - 17:16 nvd
CRITICAL 9.6

DescriptionCVE.org

An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations while chunked upload is enabled.

AnalysisAI

Path traversal in JeeSite 5.15.1 allows authenticated users with file upload permissions to write arbitrary files to any filesystem location during chunked uploads by manipulating the fileMd5 parameter in /a/file/upload. Attackers can bypass directory restrictions to plant webshells, modify configuration files, or overwrite executables with whitelisted extensions, achieving remote code execution and full system compromise. Scope change in CVSS vector indicates container escape or cross-tenant impact in multi-tenant deployments. No active exploitation confirmed (not in CISA KEV) but vulnerability disclosed via GitHub issue #530.

Share

CVE-2026-36760 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy