Description
ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. Attackers can upload PHP files with traversal payloads ../public_html/ to write executable code to the web root and achieve remote code execution.
Published: 2026-03-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

ARMBot’s upload.php contains an unrestricted file upload vulnerability. An attacker can supply a crafted file name with path traversal sequences (e.g., ../public_html/) that bypasses upload restrictions. This allows the attacker to upload arbitrary PHP files into the web root, enabling the execution of attacker‑controlled code on the server. The vulnerability directly leads to remote code execution, which compromises confidentiality, integrity, and availability of the affected instance. The weakness is identified as CWE-22, Unauthorized Write to File.

Affected Systems

The affected product is ARMBot:ARMBot. Specific affected versions are not disclosed in the available data; users should confirm whether their installed instance matches the vulnerability’s scope by reviewing vendor documentation or contacting vendor support.

Risk and Exploitability

The CVSS v3 score is 8.7, indicating a high severity vulnerability. The EPSS score is reported as less than 1 %, suggesting a low probability of exploitation in the wild, although the lack of a known KEV listing does not guarantee absence of active exploitation. The attack vector is likely unauthenticated, via the publicly accessible upload.php endpoint, and requires path traversal inputs. If exploited, an attacker can run arbitrary code on the server.

Generated by OpenCVE AI on March 17, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the ARMBot vendor website or support channels for an official patch or update. If a patch is available, apply it immediately.
  • If no patch exists, consider disabling or removing the upload.php functionality until remediation is available.

Generated by OpenCVE AI on March 17, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Armbot
Armbot armbot
Vendors & Products Armbot
Armbot armbot

Wed, 11 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
References

Wed, 11 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
References

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. Attackers can upload PHP files with traversal payloads ../public_html/ to write executable code to the web root and achieve remote code execution.
Title ARMBot Unrestricted File Upload via upload.php
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Armbot Armbot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:04:34.404Z

Reserved: 2026-02-23T12:14:56.604Z

Link: CVE-2019-25480

cve-icon Vulnrichment

Updated: 2026-03-11T19:22:37.280Z

cve-icon NVD

Status : Deferred

Published: 2026-03-11T19:16:02.170

Modified: 2026-04-15T14:56:45.970

Link: CVE-2019-25480

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:41Z

Weaknesses