Skip to main content

WEOLL EUVDEUVD-2026-36437

| CVE-2026-6211 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-12 TR-CERT GHSA-jpfv-gw2p-hjm7
8.7
CVSS 3.1 · NVD
Share

Severity by source

Vendor (TR-CERT) PRIMARY
HIGH
qualitative
NVD
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
vuln.today AI
8.7 HIGH

Network-reachable upload endpoint with a low-privileged account (PR:L), victim must interact with the stored payload (UI:R), and ACL bypass crosses the security scope to High C/I; no availability impact described.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 16:01 EUVD
Analysis Generated
Jun 12, 2026 - 14:51 vuln.today

DescriptionNVD

Unrestricted upload of file with dangerous type vulnerability in Global IT Informatics Services Inc. WEOLL allows Accessing Functionality Not Properly Constrained by ACLs.

This issue affects WEOLL: from 2.0.9 before 3.2.45.33.

AnalysisAI

Unrestricted file upload in Global IT Informatics Services WEOLL versions 2.0.9 through 3.2.45.32 allows authenticated low-privilege users to upload files of dangerous types and bypass ACL-protected functionality. With CVSS 8.7 (scope-changed, confidentiality and integrity high) and TR-CERT advisory publication, the flaw enables impact beyond the vulnerable component, though no public exploit identified at time of analysis and KEV/EPSS signals are not provided.

Technical ContextAI

WEOLL is a web-based product distributed by Global IT Informatics Services Inc., identified by CPE cpe:2.3:a:global_it_informatics_services_inc.:weoll. The root cause class is CWE-434 (Unrestricted Upload of File with Dangerous Type), where the application's upload handler fails to validate file extension, MIME type, or content before persisting the file in a location reachable by the web tier. The advisory also references improper ACL enforcement, indicating the upload endpoint or the resulting stored file can be accessed by users or roles that the application's access-control model intended to exclude - combining a file-handling weakness with a broken authorization check.

RemediationAI

Upgrade WEOLL to version 3.2.45.33 or later, which is the first fixed release indicated by the affected-range boundary in the TR-CERT advisory (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0369); confirm the exact build with the vendor before deployment. Until patching, restrict who holds upload-capable accounts, place the application behind a WAF rule that blocks executable, script, and archive extensions (.php, .jsp, .aspx, .exe, .svg, .html, .htaccess) on multipart uploads, and serve any user-upload directory from a separate non-executing path or storage bucket with Content-Disposition: attachment and a strict Content-Type allowlist - accepting that legitimate document workflows may need re-testing. Additionally tighten ACLs on upload and download endpoints and review logs for unexpected file types written by low-privilege accounts, recognizing that WAF rules can be bypassed via content-type spoofing and are a stop-gap, not a fix.

Share

EUVD-2026-36437 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy