Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
An arbitrary file upload vulnerability in the ShopOrderImportController.java component of qihang-wms commit 75c15a allows attackers to execute arbitrary code via uploading a crafted file.
AnalysisAI
Arbitrary file upload in qihang-wms (启航电商WMS) allows unauthenticated remote attackers to execute arbitrary code by uploading malicious files through the ShopOrderImportController component. The vulnerability affects commit 75c15a and potentially other versions of this warehouse management system. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation has been confirmed by CISA KEV at time of analysis. Public exploit documentation exists via GitHub/Gist references.
Technical ContextAI
This vulnerability resides in ShopOrderImportController.java, a Java-based file upload handler component within qihang-wms (启航电商WMS), a Chinese warehouse management system. The flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the application fails to properly validate file types, extensions, or content before processing uploads. The CVSS vector AV:N indicates the vulnerable endpoint is network-accessible, likely an HTTP/HTTPS API endpoint for order import functionality. Successful exploitation allows attackers to upload executable files (JSP, WAR, or other Java-executable formats) that can then be accessed via web server, leading to arbitrary code execution in the context of the application server (typically Tomcat or similar Java servlet container).
RemediationAI
Organizations running qihang-wms should immediately implement input validation on the ShopOrderImportController.java file upload endpoint to restrict accepted file types to legitimate business document formats (CSV, XLSX, XML) with server-side MIME type validation and content inspection. No vendor-released patch identified at time of analysis - the affected repository commit (75c15a) does not have a corresponding fix version documented in public sources or the NVD advisory. As a compensating control, configure web application firewall (WAF) rules to block uploads of executable file extensions (.jsp, .jspx, .war, .jar, .class) to the order import endpoint, though this may be bypassed via extension manipulation or MIME type confusion. More robust mitigation: restrict network access to the ShopOrderImportController endpoint to authenticated internal users only via reverse proxy authentication (this changes the attack surface from PR:N to PR:L, significantly reducing risk), and implement file upload to a sandboxed directory outside the web server's document root with separate processing workflow that never executes uploaded content directly. Monitor application logs for suspicious file upload attempts with unusual extensions or sizes. Organizations should evaluate migrating to actively maintained warehouse management solutions with established security development lifecycles, as qihang-wms appears to be a community project without formal security response process. Refer to researcher analysis at https://gist.github.com/Y4y17/6587147a37eba5b31de832e067f317ef for technical exploitation details to inform defensive configurations.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29949
GHSA-xf7x-xwx7-4g6h