Description
A vulnerability was detected in Harvard University IQSS Dataverse up to 6.8. This affects an unknown function of the file /ThemeAndWidgets.xhtml of the component Theme Customization. Performing a manipulation of the argument uploadLogo results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. Upgrading to version 6.10 mitigates this issue. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Published: 2026-04-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted File Upload
Action: Patch
AI Analysis

Impact

An improper access control flaw within the /ThemeAndWidgets.xhtml page of the Dataverse Theme Customization component permits an attacker to manipulate the uploadLogo parameter and upload files without any restriction on type, size, or location. The weakness aligns with CWE‑284 and CWE‑434. By uploading a malicious script or binary, an attacker may host arbitrary code on the server, potentially enabling further compromise if the uploaded file is executed or accessed by privileged users.

Affected Systems

Harvard University IQSS Dataverse versions up to 6.8 are affected, as the flaw was identified in those releases. The vendor released Dataverse 6.10, which removes the unrestricted upload capability from the Theme Customization feature. No other products or components were noted as impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The vulnerability can be exploited remotely via a web request to the /ThemeAndWidgets.xhtml endpoint, likely by unauthenticated users, as the advisory does not reference authentication requirements. Publicly available exploits confirm that attackers can reach the upload functionality over the network without credentials. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, but the existence of a public exploit and the lack of upload restrictions elevate the risk for systems that rely on the Theme Customization feature.

Generated by OpenCVE AI on April 1, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor's patch by upgrading Harvard University IQSS Dataverse to version 6.10 or later.
  • If a gradual transition is required, temporarily disable the Theme Customization feature or restrict access to the /ThemeAndWidgets.xhtml page until the upgrade can be performed.
  • Monitor application logs for attempts to upload files via the uploadLogo parameter and investigate any suspicious activity.

Generated by OpenCVE AI on April 1, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Harvard University
Harvard University iqss Dataverse
Vendors & Products Harvard University
Harvard University iqss Dataverse

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Harvard University IQSS Dataverse up to 6.8. This affects an unknown function of the file /ThemeAndWidgets.xhtml of the component Theme Customization. Performing a manipulation of the argument uploadLogo results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. Upgrading to version 6.10 mitigates this issue. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Title Harvard University IQSS Dataverse Theme Customization ThemeAndWidgets.xhtml unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Harvard University Iqss Dataverse
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-01T13:08:49.098Z

Reserved: 2026-02-04T07:49:19.915Z

Link: CVE-2026-1879

cve-icon Vulnrichment

Updated: 2026-04-01T13:08:45.479Z

cve-icon NVD

Status : Deferred

Published: 2026-04-01T10:16:15.490

Modified: 2026-04-24T18:12:06.580

Link: CVE-2026-1879

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:17:45Z

Weaknesses