Skip to main content

Dcat-Admin EUVDEUVD-2026-35296

| CVE-2026-11621 LOW
Improper Access Control (CWE-284)
2026-06-09 cna@vuldb.com GHSA-8ppw-2j69-mvrj
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 03:33 vuln.today

DescriptionCVE.org

A weakness has been identified in Dcat-Admin up to 2.2.3-beta. This impacts the function editorMDUpload of the file /admin/dcat-api/editor-md/upload of the component User Setting Page. This manipulation of the argument editormd-image-file causes unrestricted upload. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

Unrestricted file upload in Dcat-Admin up to 2.2.3-beta allows remote attackers with high privileges - or potentially with authentication bypass - to upload arbitrary files via the editorMDUpload function at the /admin/dcat-api/editor-md/upload endpoint on the User Setting Page. The vulnerability stems from improper access control (CWE-284) on the editormd-image-file parameter, enabling upload of potentially malicious file types. Publicly available exploit code exists (CVSS E:P confirmed), though no active exploitation is listed in CISA KEV. The low CVSS 4.0 base score of 2.0 reflects constrained impact scope, but the 'Authentication Bypass' tag warrants additional scrutiny of the effective privilege requirement.

Technical ContextAI

Dcat-Admin is a PHP-based Laravel admin panel framework. The affected component is its integrated Editor.md markdown editor upload handler, exposed at /admin/dcat-api/editor-md/upload. The root cause is CWE-284 (Improper Access Control) - the application fails to enforce adequate restrictions on uploaded file types or content for the editormd-image-file argument in the editorMDUpload function. While the endpoint is nominally within an authenticated admin area (reflected in PR:H), the 'Authentication Bypass' tag in the intelligence data suggests there may be a separate access control weakness that reduces or eliminates the effective privilege barrier. No CPE string was provided, but the affected version range is confirmed as Dcat-Admin <= 2.2.3-beta. CWE-284 is broader than the typical CWE-434 (Unrestricted Upload of File with Dangerous Type), hinting the core flaw is in access policy rather than file type validation alone.

RemediationAI

No vendor-released patch version is identified in the available reference data - the fix version is not confirmed from VulDB references or an independent vendor advisory. Administrators running Dcat-Admin <= 2.2.3-beta should monitor the official Dcat-Admin GitHub repository for a patched release and apply it immediately upon availability. As a compensating control, restrict access to the /admin/dcat-api/editor-md/upload endpoint at the web server or WAF layer to trusted IP ranges only, reducing the network-accessible attack surface. Additionally, implement server-side file type validation (allowlist of safe extensions such as .jpg, .png, .gif) on the upload handler as a defense-in-depth measure - note this does not address the underlying access control weakness but limits the impact of successful exploitation. Disable the Editor.md upload feature entirely if markdown image uploads are not a business requirement, as this eliminates the attack surface completely. Reference: https://vuldb.com/vuln/369302

Share

EUVD-2026-35296 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy