Skip to main content

a+HCM EUVDEUVD-2026-24603

| CVE-2026-6835 MEDIUM
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-04-22 twcert GHSA-c8mf-x5fq-cwm5
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

5
Analysis Generated
Apr 22, 2026 - 04:25 vuln.today
CVSS changed
Apr 22, 2026 - 04:22 NVD
6.1 (MEDIUM) 5.1 (MEDIUM)
EUVD ID Assigned
Apr 22, 2026 - 04:00 euvd
EUVD-2026-24603
Analysis Generated
Apr 22, 2026 - 04:00 vuln.today
CVE Published
Apr 22, 2026 - 03:40 nvd
MEDIUM 5.1

DescriptionCVE.org

The a+HCM developed by aEnrich has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload arbitrary files to any path, including HTML documents, which may result in a XSS-like effect.

AnalysisAI

Unauthenticated remote attackers can upload arbitrary files to any path in a+HCM developed by aEnrich, including executable HTML documents, enabling cross-site scripting and potential server-side impacts. The vulnerability requires user interaction (UI:A) but allows unrestricted file placement with low scope and integrity impact. No patch version or active exploitation data is currently available.

Technical ContextAI

a+HCM is a Human Capital Management system developed by aEnrich. The vulnerability stems from improper input validation and insufficient access controls on file upload functionality (CWE-434: Unrestricted Upload of File with Dangerous Type). The system fails to enforce authentication checks on upload endpoints and does not restrict file types, paths, or naming, allowing attackers to place arbitrary files (including .html, .js, .jsp, or other executable formats) into web-accessible directories. This can lead to stored XSS when HTML/JavaScript files are served directly by the application server, or code execution if the upload directory permits script interpretation.

RemediationAI

No vendor-released patch version has been identified at time of analysis. Immediate compensating controls include: (1) Implement strict authentication and authorization checks on all upload endpoints - verify user identity and permissions before accepting file transfers; (2) Enforce a whitelist of permitted file extensions (.pdf, .docx, .xlsx only, not .html, .js, .jsp, .exe, .bat, etc.) and reject uploads that do not match; (3) Store uploaded files outside the web-accessible directory (not in /var/www/html or equivalent) and serve them through a download handler that sets appropriate Content-Type headers (attachment instead of inline for non-safe types); (4) Implement filename sanitization to prevent path traversal (reject '../', '..\', absolute paths) and rename uploads with unique identifiers (UUID + safe extension); (5) Disable script execution in upload directories via web server configuration (e.g., Apache/nginx directive blocking .html/.js execution in upload folder); (6) Set appropriate MIME type validation on server-side (not relying on client-supplied Content-Type header). Contact aEnrich through https://www.twcert.org.tw/tw/cp-132-10835-cb0c2-1.html for patch status and timeline.

Share

EUVD-2026-24603 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy