EUVD-2026-12273
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Tags
Description
A weakness has been identified in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This vulnerability affects the function Upload of the file business/business-system/src/main/java/com/glowxq/system/admin/controller/SysFileController.java. Executing a manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Analysis
An unrestricted file upload vulnerability exists in the glowxq-oj online judge system that allows remote attackers without authentication to upload malicious files through the SysFileController Upload function. A proof-of-concept exploit is publicly available, and while not currently in CISA's KEV catalog, the vulnerability poses moderate risk with a CVSS score of 7.3 and publicly disclosed exploitation code.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Immediately disable the SysFileController Upload function or restrict access via network/WAF rules; audit recent file uploads for suspicious activity. Within 7 days: Implement compensating controls (WAF rules blocking upload endpoints, IP whitelisting, authentication enforcement); assess if alternative online judge solutions are available. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today