Description
Census CSWeb 8.0.1 allows arbitrary file upload. A remote, authenticated attacker could upload a malicious file, possibly leading to remote code execution. Fixed in 8.1.0 alpha.
Published: 2026-03-23
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the file upload feature of Census CSWeb version 8.0.1, allowing a remote, authenticated attacker to upload arbitrary files. If a malicious file is successfully uploaded and executed, the application may run arbitrary code, leading to remote code execution. The weakness corresponds to improper validation of uploaded content, as defined by CWE-434.

Affected Systems

Customers running Census CSWeb version 8.0.1 are vulnerable. The issue is present in the cpe:2.3:a:csprousers:csweb:8.0.1 product. The fix is available in version 8.1.0 alpha or later; any deployment still at 8.0.1 or earlier without the patch remains susceptible.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, while an EPSS score of less than 1% suggests limited current exploitation activity. The vulnerability is not listed in CISA KEV. Based on the description, the attack requires remote access and valid authentication to upload files; once a malicious file is uploaded, it could be executed on the server.

Generated by OpenCVE AI on March 25, 2026 at 23:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Census CSWeb to version 8.1.0 alpha or later.
  • If an upgrade is not immediately possible, disable or remove the file upload feature and restrict permissions to prevent untrusted uploads.
  • Check the vendor’s website or advisories for additional patches or guidance.

Generated by OpenCVE AI on March 25, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Csprousers
Csprousers csweb
CPEs cpe:2.3:a:csprousers:csweb:8.0.1:*:*:*:*:*:*:*
Vendors & Products Csprousers
Csprousers csweb

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Census
Census csweb
Vendors & Products Census
Census csweb

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Census CSWeb 8.0.1 allows arbitrary file upload. A remote, authenticated attacker could upload a malicious file, possibly leading to remote code execution. Fixed in 8.1.0 alpha.
Title Census CSWeb arbitrary file upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Census Csweb
Csprousers Csweb
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-03-25T14:38:12.537Z

Reserved: 2025-09-26T05:34:11.056Z

Link: CVE-2025-60947

cve-icon Vulnrichment

Updated: 2026-03-25T14:37:04.363Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T22:16:22.793

Modified: 2026-03-25T21:07:38.513

Link: CVE-2025-60947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:20:33Z

Weaknesses