The vulnerability arises when the TIS platform accepts XML files from users and deserializes them using XStream without validating the content or file type. An attacker can supply a crafted XML document that contains a reference to a dangerous file type, and when the platform deserializes it, arbitrary bytecode can be executed. This flaw enables remote code execution, allowing an attacker to run code on the server, potentially taking full control. The weakness is categorized under Unrestricted Upload of File with Dangerous Type (CWE‑434) and Deserialization of Untrusted Data (CWE‑502).

The affected product is the TIS platform (datavane:tis). Versions prior to 4.3.0 contain the issue in the tis‑plugin module, specifically the XmlFile class in tis-plugin/src/main/java/com/qlangtech/tis/extension/impl. No other versions are known to be affected. Vulnerable implementations must be upgraded to 4.3.0 or later.

The CVSS score of 10 indicates a critical severity. The EPSS score of less than 1 % suggests that, although the flaw is severe, some analyst estimates the current exploitation likelihood is low; however, the presence of this flaw in a widely used system warrants concern. The flaw was not catalogued in the CISA KEV list, implying no public exploitation reports have been reported. Attackers can likely exploit the vulnerability remotely by uploading a malicious XML file to the public upload endpoint of the TIS service, assuming no authentication or weak authentication is in place. If authentication is required, the attacker would need to compromise valid credentials first. The flaw is a perfect candidate for remote code execution once the deserialization occurs.