Skip to main content

qihang-wms CVE-2026-37430

| EUVDEUVD-2026-29949 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-05-13 mitre GHSA-xf7x-xwx7-4g6h
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
May 14, 2026 - 20:24 vuln.today
CVSS changed
May 14, 2026 - 20:22 NVD
7.3 (HIGH)
CVE Published
May 13, 2026 - 00:00 nvd
HIGH 7.3
CVE Published
May 13, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An arbitrary file upload vulnerability in the ShopOrderImportController.java component of qihang-wms commit 75c15a allows attackers to execute arbitrary code via uploading a crafted file.

AnalysisAI

Arbitrary file upload in qihang-wms (启航电商WMS) allows unauthenticated remote attackers to execute arbitrary code by uploading malicious files through the ShopOrderImportController component. The vulnerability affects commit 75c15a and potentially other versions of this warehouse management system. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation has been confirmed by CISA KEV at time of analysis. Public exploit documentation exists via GitHub/Gist references.

Technical ContextAI

This vulnerability resides in ShopOrderImportController.java, a Java-based file upload handler component within qihang-wms (启航电商WMS), a Chinese warehouse management system. The flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the application fails to properly validate file types, extensions, or content before processing uploads. The CVSS vector AV:N indicates the vulnerable endpoint is network-accessible, likely an HTTP/HTTPS API endpoint for order import functionality. Successful exploitation allows attackers to upload executable files (JSP, WAR, or other Java-executable formats) that can then be accessed via web server, leading to arbitrary code execution in the context of the application server (typically Tomcat or similar Java servlet container).

RemediationAI

Organizations running qihang-wms should immediately implement input validation on the ShopOrderImportController.java file upload endpoint to restrict accepted file types to legitimate business document formats (CSV, XLSX, XML) with server-side MIME type validation and content inspection. No vendor-released patch identified at time of analysis - the affected repository commit (75c15a) does not have a corresponding fix version documented in public sources or the NVD advisory. As a compensating control, configure web application firewall (WAF) rules to block uploads of executable file extensions (.jsp, .jspx, .war, .jar, .class) to the order import endpoint, though this may be bypassed via extension manipulation or MIME type confusion. More robust mitigation: restrict network access to the ShopOrderImportController endpoint to authenticated internal users only via reverse proxy authentication (this changes the attack surface from PR:N to PR:L, significantly reducing risk), and implement file upload to a sandboxed directory outside the web server's document root with separate processing workflow that never executes uploaded content directly. Monitor application logs for suspicious file upload attempts with unusual extensions or sizes. Organizations should evaluate migrating to actively maintained warehouse management solutions with established security development lifecycles, as qihang-wms appears to be a community project without formal security response process. Refer to researcher analysis at https://gist.github.com/Y4y17/6587147a37eba5b31de832e067f317ef for technical exploitation details to inform defensive configurations.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-37430 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy