Skip to main content

Acrel EEMS Enterprise EUVDEUVD-2026-26834

| CVE-2026-7696 LOW
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-05-03 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Severity Changed
May 03, 2026 - 13:22 NVD
MEDIUM LOW
CVSS changed
May 03, 2026 - 13:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
PoC Detected
May 03, 2026 - 13:16 vuln.today
Public exploit code
Analysis Generated
May 03, 2026 - 13:15 vuln.today
EUVD ID Assigned
May 03, 2026 - 13:00 euvd
EUVD-2026-26834
Analysis Generated
May 03, 2026 - 13:00 vuln.today
CVE Published
May 03, 2026 - 12:30 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This impacts an unknown function of the file /SubstationWEBV2/main/uploadH5Files. The manipulation of the argument File results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Unrestricted file upload vulnerability in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 allows authenticated remote attackers to upload arbitrary files via the /SubstationWEBV2/main/uploadH5Files endpoint, potentially leading to remote code execution or system compromise. The vulnerability is tracked with CVSS 6.3 (moderate severity), publicly available exploit code exists, and the vendor has not responded to early disclosure attempts.

Technical ContextAI

The vulnerability resides in the file upload handler at /SubstationWEBV2/main/uploadH5Files, which fails to properly validate or restrict the 'File' parameter during upload operations. This is a classic CWE-434 (Unrestricted Upload of File with Dangerous Type) issue where the application accepts file uploads without enforcing adequate type, size, or content validation. The affected product is a cloud-based enterprise power operation and maintenance platform, meaning the upload handler processes files that may be stored server-side and potentially executed or processed by backend services. The lack of file type restrictions combined with a web-accessible upload endpoint creates a direct path to arbitrary file injection.

RemediationAI

No vendor-released patch is currently available for this vulnerability (RL:X status in CVSS vector). Organizations must implement compensating controls immediately: (1) Restrict access to the /SubstationWEBV2/main/uploadH5Files endpoint to a whitelist of trusted IP addresses or VPN-only networks, reducing the attack surface to insiders or compromised internal accounts; (2) Implement strict file type validation on the server side - reject any file uploads that do not match the expected H5 file format signature (magic bytes), and store uploads in a non-executable directory outside the web root to prevent direct execution; (3) Disable or remove the upload functionality entirely if not actively used, as this eliminates the attack vector; (4) Monitor upload activity and file system changes in the upload directory for suspicious files with executable extensions (.php, .jsp, .exe, .sh, etc.); (5) Enforce strict file permissions on uploaded files (read-only, non-executable) and separate uploaded content from application binaries. Contact Acrel Electrical directly to request a security update and estimated timeline for remediation. References for additional guidance: VulDB record https://vuldb.com/vuln/360865.

Share

EUVD-2026-26834 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy