Description
Unrestricted upload of file with dangerous type vulnerability in Başarsoft Information Technologies Inc. Rotaban allows Upload a Web Shell to a Web Server.

This issue affects Rotaban: from V2026.06.002 before V2026.06.003.
Published: 2026-06-11
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An arbitrary file upload flaw in Rotaban permits the upload of files with dangerous types, such as web shells, without any validation or restriction. An attacker can place executable code on the web server and achieve full control over the application, resulting in confidentiality, integrity and availability breaches. The weakness is identified as CWE‑434.

Affected Systems

The vulnerability affects Başarsoft Information Technologies Inc.’s Rotaban product. All releases from V2026.06.002 up to but not including V2026.06.003 are vulnerable. Earlier versions are not affected, and any release equal to or newer than V2026.06.003 contains the fix.

Risk and Exploitability

With a CVSS score of 9.9 the issue is considered critical. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the web interface, requiring only an unauthenticated or authenticated user with upload privileges. If exploited, an attacker can upload a web shell and execute arbitrary commands, leading to complete takeover of the affected web server.

Generated by OpenCVE AI on June 11, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rotaban to version V2026.06.003 or later to eliminate the unrestricted upload flaw.
  • If an upgrade cannot be performed immediately, restrict the upload function to allow only safe file types and enforce strict MIME type validation on the server side.
  • Place any uploaded files in a directory that is non‑executable or set appropriate filesystem permissions to prevent execution, and monitor for unauthorized file uploads.

Generated by OpenCVE AI on June 11, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Basarsoft
Basarsoft rotaban
Vendors & Products Basarsoft
Basarsoft rotaban

Thu, 11 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description Unrestricted upload of file with dangerous type vulnerability in Başarsoft Information Technologies Inc. Rotaban allows Upload a Web Shell to a Web Server. This issue affects Rotaban: from V2026.06.002 before V2026.06.003.
Title Arbitrary File Upload in Basarsoft's Rotaban
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Basarsoft Rotaban
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-06-17T10:56:23.877Z

Reserved: 2026-06-10T06:25:02.477Z

Link: CVE-2026-11839

cve-icon Vulnrichment

Updated: 2026-06-11T16:03:54.252Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T16:16:22.497

Modified: 2026-06-11T20:52:02.393

Link: CVE-2026-11839

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:18:01Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type