Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Network-reachable upload endpoint with a low-privileged account (PR:L), victim must interact with the stored payload (UI:R), and ACL bypass crosses the security scope to High C/I; no availability impact described.
Primary rating from Vendor (TR-CERT).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionNVD
Unrestricted upload of file with dangerous type vulnerability in Global IT Informatics Services Inc. WEOLL allows Accessing Functionality Not Properly Constrained by ACLs.
This issue affects WEOLL: from 2.0.9 before 3.2.45.33.
AnalysisAI
Unrestricted file upload in Global IT Informatics Services WEOLL versions 2.0.9 through 3.2.45.32 allows authenticated low-privilege users to upload files of dangerous types and bypass ACL-protected functionality. With CVSS 8.7 (scope-changed, confidentiality and integrity high) and TR-CERT advisory publication, the flaw enables impact beyond the vulnerable component, though no public exploit identified at time of analysis and KEV/EPSS signals are not provided.
Technical ContextAI
WEOLL is a web-based product distributed by Global IT Informatics Services Inc., identified by CPE cpe:2.3:a:global_it_informatics_services_inc.:weoll. The root cause class is CWE-434 (Unrestricted Upload of File with Dangerous Type), where the application's upload handler fails to validate file extension, MIME type, or content before persisting the file in a location reachable by the web tier. The advisory also references improper ACL enforcement, indicating the upload endpoint or the resulting stored file can be accessed by users or roles that the application's access-control model intended to exclude - combining a file-handling weakness with a broken authorization check.
RemediationAI
Upgrade WEOLL to version 3.2.45.33 or later, which is the first fixed release indicated by the affected-range boundary in the TR-CERT advisory (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0369); confirm the exact build with the vendor before deployment. Until patching, restrict who holds upload-capable accounts, place the application behind a WAF rule that blocks executable, script, and archive extensions (.php, .jsp, .aspx, .exe, .svg, .html, .htaccess) on multipart uploads, and serve any user-upload directory from a separate non-executing path or storage bucket with Content-Disposition: attachment and a strict Content-Type allowlist - accepting that legitimate document workflows may need re-testing. Additionally tighten ACLs on upload and download endpoints and review logs for unexpected file types written by low-privilege accounts, recognizing that WAF rules can be bypassed via content-type spoofing and are a stop-gap, not a fix.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36437
GHSA-jpfv-gw2p-hjm7