Description
A security vulnerability has been detected in lwj flow up to a3d2fe8133db9d3b50fda4f66f68634640344641. This affects the function uploadFile of the file \flow-master\flow-front-rest\src\main\java\com\dragon\flow\web\resource\flow\FormResource.java of the component SVG File Handler. The manipulation of the argument File leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-01-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted Remote File Upload
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in the uploadFile method of FormResource.java in the SVG File Handler of lwj Flow. An attacker can send a crafted File argument that bypasses validation, allowing upload of any file type to the server. This unrestricted upload can be exploited remotely, potentially enabling the delivery of malicious code or other files that compromise the integrity and confidentiality of the system. The flaw arises from improper access control (CWE‑284) and the lack of file type restrictions (CWE‑434).

Affected Systems

This issue affects the lwj Flow application, a web‑based workflow platform. The flaw exists in all releases up to commit a3d2fe8133db9d3b50fda4f66f68634640344641, and due to the project’s rolling‑release model, any version built after that commit may also be impacted until a patch is provided. Users should assume that no version post‑commit is safe without an official fix. The vendor, listed as lwj, has not yet issued a response or update.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity vulnerability. EPSS is reported as less than 1%, suggesting a low probability of active exploitation. The vulnerability is not in the CISA Known Exploited Vulnerabilities catalog. Attackers can exercise the flaw remotely via the uploadFile endpoint. While the immediate risk is moderate, the lack of an available patch and the remote nature of the attack vector may elevate concern for systems that accept untrusted input.

Generated by OpenCVE AI on April 18, 2026 at 05:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑released patch or newer version as soon as it becomes available.
  • Enforce strict server‑side validation to allow only whitelisted file types and size limits for uploads.
  • If the SVG upload feature is not required, disable or restrict it in the application configuration.
  • Consider network segmentation or firewall rules to limit public exposure of the upload endpoint to trusted networks.

Generated by OpenCVE AI on April 18, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Lwj
Lwj flow
Vendors & Products Lwj
Lwj flow

Sun, 18 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in lwj flow up to a3d2fe8133db9d3b50fda4f66f68634640344641. This affects the function uploadFile of the file \flow-master\flow-front-rest\src\main\java\com\dragon\flow\web\resource\flow\FormResource.java of the component SVG File Handler. The manipulation of the argument File leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
Title lwj flow SVG File FormResource.java uploadFile unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Lwj Flow
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:39:44.515Z

Reserved: 2026-01-17T18:20:05.336Z

Link: CVE-2026-1126

cve-icon Vulnrichment

Updated: 2026-01-20T16:41:06.664Z

cve-icon NVD

Status : Deferred

Published: 2026-01-18T17:15:49.713

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:30:25Z

Weaknesses