Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in Dcat-Admin up to 2.2.3-beta. This impacts the function editorMDUpload of the file /admin/dcat-api/editor-md/upload of the component User Setting Page. This manipulation of the argument editormd-image-file causes unrestricted upload. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
AnalysisAI
Unrestricted file upload in Dcat-Admin up to 2.2.3-beta allows remote attackers with high privileges - or potentially with authentication bypass - to upload arbitrary files via the editorMDUpload function at the /admin/dcat-api/editor-md/upload endpoint on the User Setting Page. The vulnerability stems from improper access control (CWE-284) on the editormd-image-file parameter, enabling upload of potentially malicious file types. Publicly available exploit code exists (CVSS E:P confirmed), though no active exploitation is listed in CISA KEV. The low CVSS 4.0 base score of 2.0 reflects constrained impact scope, but the 'Authentication Bypass' tag warrants additional scrutiny of the effective privilege requirement.
Technical ContextAI
Dcat-Admin is a PHP-based Laravel admin panel framework. The affected component is its integrated Editor.md markdown editor upload handler, exposed at /admin/dcat-api/editor-md/upload. The root cause is CWE-284 (Improper Access Control) - the application fails to enforce adequate restrictions on uploaded file types or content for the editormd-image-file argument in the editorMDUpload function. While the endpoint is nominally within an authenticated admin area (reflected in PR:H), the 'Authentication Bypass' tag in the intelligence data suggests there may be a separate access control weakness that reduces or eliminates the effective privilege barrier. No CPE string was provided, but the affected version range is confirmed as Dcat-Admin <= 2.2.3-beta. CWE-284 is broader than the typical CWE-434 (Unrestricted Upload of File with Dangerous Type), hinting the core flaw is in access policy rather than file type validation alone.
RemediationAI
No vendor-released patch version is identified in the available reference data - the fix version is not confirmed from VulDB references or an independent vendor advisory. Administrators running Dcat-Admin <= 2.2.3-beta should monitor the official Dcat-Admin GitHub repository for a patched release and apply it immediately upon availability. As a compensating control, restrict access to the /admin/dcat-api/editor-md/upload endpoint at the web server or WAF layer to trusted IP ranges only, reducing the network-accessible attack surface. Additionally, implement server-side file type validation (allowlist of safe extensions such as .jpg, .png, .gif) on the upload handler as a defense-in-depth measure - note this does not address the underlying access control weakness but limits the impact of successful exploitation. Disable the Editor.md upload feature entirely if markdown image uploads are not a business requirement, as this eliminates the attack surface completely. Reference: https://vuldb.com/vuln/369302
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35296
GHSA-8ppw-2j69-mvrj