Skip to main content

Integrated Management Platform CVE-2026-4220

| EUVDEUVD-2026-12355 MEDIUM
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-03-16 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
Severity Changed
Apr 22, 2026 - 21:37 NVD
HIGH MEDIUM
CVSS changed
Apr 22, 2026 - 21:37 NVD
7.3 (HIGH) 6.9 (MEDIUM)
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 16, 2026 - 07:00 euvd
EUVD-2026-12355
Analysis Generated
Mar 16, 2026 - 07:00 vuln.today
CVE Published
Mar 16, 2026 - 06:02 nvd
HIGH 7.3

DescriptionCVE.org

A vulnerability has been found in Technologies Integrated Management Platform 7.17.0. Affected by this issue is some unknown functionality of the file /SetWebpagePic.jsp. The manipulation of the argument targetPath/Suffix leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

An unrestricted file upload vulnerability exists in Technologies Integrated Management Platform version 7.17.0 that allows remote attackers to upload malicious files without authentication through the /SetWebpagePic.jsp endpoint by manipulating the targetPath/Suffix parameters. A public proof-of-concept exploit is available, though the vulnerability is not currently in CISA's Known Exploited Vulnerabilities catalog, making this a confirmed exploitable vulnerability with demonstrated attack code that could lead to unauthorized file uploads and potential remote code execution.

Technical ContextAI

The vulnerability affects Technologies Integrated Management Platform (CPE: cpe:2.3:a:technologies:integrated_management_platform:*:*:*:*:*:*:*:*), specifically version 7.17.0 according to EUVD data. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), which occurs when an application accepts file uploads without properly validating file types, extensions, or content. The vulnerable component is the /SetWebpagePic.jsp file, which likely handles image uploads for webpage customization but fails to restrict what types of files can be uploaded or where they can be placed on the server through the targetPath and Suffix parameters.

RemediationAI

No official patch is available as the vendor did not respond to the vulnerability disclosure. Immediate mitigations include: 1) Disable or restrict access to /SetWebpagePic.jsp if not required for operations, 2) Implement web application firewall (WAF) rules to filter requests to this endpoint, 3) Monitor for suspicious file uploads and unexpected file types, 4) Consider upgrading to a newer version if available (though vulnerability status in other versions is unknown), 5) Implement additional access controls requiring authentication for file upload functionality. The VulDB references (https://vuldb.com/?id.351144) should be monitored for updates.

Share

CVE-2026-4220 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy