Description
A vulnerability was detected in cskefu up to 8.0.1. Impacted is the function Upload of the file com/cskefu/cc/controller/resource/MediaController.java of the component File Upload. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-16
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS) via a remote file upload
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the file upload handler of cskefu, specifically the MediaController.java component. It permits an attacker to inject arbitrary client‑side script through the upload function, enabling cross‑site scripting. Attacks can be performed remotely by submitting a crafted file, and the injected code may run in the browsers of other users viewing the uploaded content. The weakness is classified as CWE‑79 and CWE‑94, indicating user‑controlled data is executed as code.

Affected Systems

Affected are all releases of the cskefu application up to version 8.0.1. Users running 8.0.1 or earlier are susceptible; versions beyond 8.0.1 have not been verified but should be considered potentially patched.

Risk and Exploitability

The CVSS base score is 5.1, representing a medium severity risk, and the EPSS score is below 1%, indicating a low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires remote access to the file upload endpoint, and the publicly disclosed exploit suggests an attacker must be able to reach the exposed MediaController route. No vendor workaround is provided.

Generated by OpenCVE AI on April 17, 2026 at 19:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade cskefu to version 8.0.2 or later if available.
  • If an update is not available, configure the MediaController upload endpoint to accept requests only from authenticated users and disable public access.
  • Implement input validation and output encoding to sanitize uploaded content and prevent script execution.

Generated by OpenCVE AI on April 17, 2026 at 19:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cskefu:cskefu:*:*:*:*:*:*:*:*

Tue, 17 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Cskefu
Cskefu cskefu
Vendors & Products Cskefu
Cskefu cskefu

Mon, 16 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in cskefu up to 8.0.1. Impacted is the function Upload of the file com/cskefu/cc/controller/resource/MediaController.java of the component File Upload. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title cskefu File Upload MediaController.java upload cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Cskefu Cskefu
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:10:48.494Z

Reserved: 2026-02-15T17:44:06.673Z

Link: CVE-2026-2557

cve-icon Vulnrichment

Updated: 2026-02-17T16:34:51.281Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-16T14:16:18.440

Modified: 2026-02-20T17:56:15.777

Link: CVE-2026-2557

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:15:26Z

Weaknesses