Impact
An arbitrary file upload flaw in Rotaban permits the upload of files with dangerous types, such as web shells, without any validation or restriction. An attacker can place executable code on the web server and achieve full control over the application, resulting in confidentiality, integrity and availability breaches. The weakness is identified as CWE‑434.
Affected Systems
The vulnerability affects Başarsoft Information Technologies Inc.’s Rotaban product. All releases from V2026.06.002 up to but not including V2026.06.003 are vulnerable. Earlier versions are not affected, and any release equal to or newer than V2026.06.003 contains the fix.
Risk and Exploitability
With a CVSS score of 9.9 the issue is considered critical. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the web interface, requiring only an unauthenticated or authenticated user with upload privileges. If exploited, an attacker can upload a web shell and execute arbitrary commands, leading to complete takeover of the affected web server.
OpenCVE Enrichment