Which versions of Java are affected by CVE-2026-4201?

An unauthenticated file upload vulnerability in the glowxq-oj online judge system allows attackers to upload malicious files without authentication, with public exploit code already available.

Is there a public PoC exploit available for CVE-2026-4201?

Yes, a public proof-of-concept exploit is available for CVE-2026-4201. Prioritise patching immediately. EPSS: 0.0%.

Java CVE-2026-4201

Q: What is the CVSS score of CVE-2026-4201?

CVE-2026-4201 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-12273 MEDIUM

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-03-16 VulDB

Java File Upload

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

Severity Changed

Apr 22, 2026 - 21:37 NVD

HIGH MEDIUM

CVSS changed

Apr 22, 2026 - 21:37 NVD

7.3 (HIGH) 6.9 (MEDIUM)

PoC Detected

Mar 16, 2026 - 14:53 vuln.today

Public exploit code

EUVD ID Assigned

Mar 16, 2026 - 02:00 euvd

EUVD-2026-12273

Analysis Generated

Mar 16, 2026 - 02:00 vuln.today

CVE Published

Mar 16, 2026 - 00:32 nvd

HIGH 7.3

DescriptionNVD

A weakness has been identified in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This vulnerability affects the function Upload of the file business/business-system/src/main/java/com/glowxq/system/admin/controller/SysFileController.java. Executing a manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

An unrestricted file upload vulnerability exists in the glowxq-oj online judge system that allows remote attackers without authentication to upload malicious files through the SysFileController Upload function. A proof-of-concept exploit is publicly available, and while not currently in CISA's KEV catalog, the vulnerability poses moderate risk with a CVSS score of 7.3 and publicly disclosed exploitation code.

RemediationAI

Within 24 hours: Immediately disable the SysFileController Upload function or restrict access via network/WAF rules; audit recent file uploads for suspicious activity. Within 7 days: Implement compensating controls (WAF rules blocking upload endpoints, IP whitelisting, authentication enforcement); assess if alternative online judge solutions are available. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-4201 vulnerability details – vuln.today

Back

Java CVE-2026-4201

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Java CVE-2026-4201

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code