Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability was detected in Harvard University IQSS Dataverse up to 6.8. This affects an unknown function of the file /ThemeAndWidgets.xhtml of the component Theme Customization. Performing a manipulation of the argument uploadLogo results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. Upgrading to version 6.10 mitigates this issue. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
AnalysisAI
Unrestricted file upload in Harvard IQSS Dataverse versions up to 6.8 allows authenticated users to bypass theme customization controls via manipulation of the uploadLogo parameter in /ThemeAndWidgets.xhtml, enabling arbitrary file upload with low confidentiality, integrity, and availability impact. The vulnerability is publicly exploitable with proof-of-concept code available; CVSS 5.3 reflects the authenticated attack vector and limited scope, though the ease of exploitation (Attack Complexity Low, Exploitation proven) combined with public POC increases practical risk. Vendor released patched version 6.10 and responded swiftly to early disclosure.
Technical ContextAI
The vulnerability resides in Dataverse's Theme Customization component, specifically in the /ThemeAndWidgets.xhtml interface used for uploading custom logos. The underlying issue (CWE-284: Improper Access Control) stems from insufficient validation of the uploadLogo parameter, allowing authenticated users to circumvent intended restrictions on file upload operations. The flaw is leveraged via remote HTTP requests without elevated privileges (PR:L indicates login-level authentication), suggesting the component fails to properly enforce role-based or administrative controls on file upload functionality. This is a client-side manipulation attack against a server-side file handling mechanism that does not adequately validate source or destination of uploaded assets.
RemediationAI
Upgrade to IQSS Dataverse version 6.10 or later, which contains the vendor-released patch. The fix can be obtained from the official GitHub release at https://github.com/IQSS/dataverse/releases/tag/v6.10. Organizations unable to upgrade immediately should implement network-level access controls restricting access to /ThemeAndWidgets.xhtml to trusted administrative users only, and monitor upload logs for suspicious file uploads to theme directories. The vendor responded early and released the patched version quickly, indicating a professional remediation timeline. No workarounds are documented as sufficient alternatives to patching.
Same weakness CWE-284 – Improper Access Control
View allSame technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17851