Description
docuFORM Managed Print Service Client 11.11c is vulnerable to arbitrary file upload via pmupdate.php.
Published: 2026-05-11
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

docuFORM Managed Print Service Client 11.11c has a flaw in pmupdate.php that allows the upload of any file type or content without validation. The vulnerability permits an attacker to place arbitrary files on the system by sending requests to the pmupdate.php endpoint, without restrictions on file type, size or format.

Affected Systems

The only product affected is docuFORM Managed Print Service Client version 11.11c. No other vendors or product versions are listed as impacted in the available CNA data.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity, reflecting the risk of having arbitrary files stored on the device. No EPSS data is available, so the likelihood of exploitation remains unknown. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed widespread exploitation. The likely attack vector is remote over HTTP/HTTPS, targeting the pmupdate.php endpoint, which may be reachable by any user who can access the service.

Generated by OpenCVE AI on May 12, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict access to pmupdate.php using web‑server configuration or firewall rules so that only authorized hosts or user accounts can reach the upload endpoint.
  • Implement server‑side checks for file type and size before accepting uploads, ensuring that only allowed formats are stored.
  • If a patched or fixed version of docuFORM Managed Print Service Client becomes available, upgrade to that version.

Generated by OpenCVE AI on May 12, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Docuform
Docuform docuform
Vendors & Products Docuform
Docuform docuform

Tue, 12 May 2026 00:30:00 +0000

Type Values Removed Values Added
Title Arbitrary File Upload Vulnerability in docuFORM Managed Print Service Client 11.11c

Mon, 11 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Title Arbitrary File Upload Vulnerability in docuFORM Managed Print Service Client 11.11c
Weaknesses CWE-434

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description docuFORM Managed Print Service Client 11.11c is vulnerable to arbitrary file upload via pmupdate.php.
References

Subscriptions

Docuform Docuform
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-11T19:28:05.535Z

Reserved: 2025-11-18T00:00:00.000Z

Link: CVE-2025-65416

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-11T16:17:29.057

Modified: 2026-05-12T15:05:31.120

Link: CVE-2025-65416

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:23:48Z

Weaknesses