Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper authorization in perfree go-fastdfs-web up to version 1.3.7 allows remote unauthenticated attackers to access the doInstall interface in InstallController.java, potentially disclosing sensitive information or manipulating system configuration. The vulnerability has been publicly disclosed with exploit code available; however, the vendor has not responded to early disclosure notifications and no official patch has been released.
Technical ContextAI
The vulnerability exists in the InstallController.java component, specifically the doInstall interface endpoint, which fails to properly validate authorization before processing requests (CWE-266: Improper Privilege Management). This Java-based web application component lacks sufficient access controls on what should be a privileged administrative function. The go-fastdfs-web project is a file distribution system written in Java, and the affected InstallController is responsible for system installation procedures that should be restricted to authorized administrators. The improper authorization flaw allows the interface to accept and process requests from unauthenticated remote sources without verifying the caller's privileges or installation state, enabling unauthorized manipulation of system configuration.
RemediationAI
No vendor-released patch identified at time of analysis. Users should implement network-level access controls to restrict access to the doInstall endpoint to trusted administrative networks only, or disable the endpoint entirely if the installation process has already completed. Consider placing the go-fastdfs-web application behind a Web Application Firewall (WAF) with rules that require authentication tokens or IP whitelisting before reaching InstallController endpoints. Monitor for any updates from the perfree project; given vendor non-responsiveness, upgrade to a patched version if one becomes available in the project repository. As an interim measure, review access logs for any unauthorized attempts to invoke the doInstall interface and verify the integrity of your installation configuration.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21684