EUVD-2026-16668
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').
Analysis
Arbitrary file write vulnerability in an API endpoint (POST /api/v2/files) enables authenticated remote attackers to overwrite critical system files or place malicious executables in startup directories through unvalidated filename parameters containing path traversal sequences. The vulnerability carries a CVSS score of 8.8 (High) with network-accessible attack vector requiring low-level privileges and no user interaction. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems and applications exposing the affected API endpoint; restrict network access to POST /api/v2/files to trusted internal networks only and disable the endpoint if not actively required. Within 7 days: Implement Web Application Firewall (WAF) rules to block requests containing path traversal sequences (../, ..\ and URL-encoded variants) targeting /api/v2/files; audit API access logs for suspicious file write attempts with unusual paths. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today