Description
scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerability in the the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows attackers to execute arbitrary code via uploading a crafted SVG file.
Published: 2026-05-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an arbitrary file upload flaw in the scalar_url query parameter of the Scalar Proxy endpoint. An attacker can upload a malicious SVG file that the server processes, enabling execution of arbitrary code. This results in remote code execution on the server hosting the Scalar Proxy.

Affected Systems

The affected product is scalar/astro version 0.1.13. Any environment that runs this version and exposes the Scalar Proxy endpoint is vulnerable. No other versions or vendor products are currently listed as affected.

Risk and Exploitability

The CVSS score of 9.8 quantifies this vulnerability as critical, indicating that arbitrary file upload leading to remote code execution is indeed high risk. The EPSS score is < 1%, indicating a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an HTTP request that supplies a crafted SVG file through the scalar_url parameter, allowing an attacker with access to the endpoint to execute arbitrary code on the server.

Generated by OpenCVE AI on May 20, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade scalar/astro to a version that removes the scalar_url upload flaw.
  • Disable the scalar_url query parameter or enforce strict authentication so only trusted users can access the Scalar Proxy endpoint.
  • Implement server‑side validation to reject SVG files or any disallowed MIME types unless explicitly permitted.

Generated by OpenCVE AI on May 20, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Arbitrary File Upload in Scalar Proxy Enables Remote Code Execution via SVG
Weaknesses CWE-434

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Scalar
Scalar astro
Vendors & Products Scalar
Scalar astro

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Arbitrary File Upload in Scalar Proxy Enables Remote Code Execution via SVG
Weaknesses CWE-434
CWE-94

Tue, 19 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerability in the the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows attackers to execute arbitrary code via uploading a crafted SVG file.
References

Subscriptions

Scalar Astro
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-20T13:44:56.043Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30117

cve-icon Vulnrichment

Updated: 2026-05-20T13:44:46.846Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T16:16:19.980

Modified: 2026-05-20T14:16:39.693

Link: CVE-2026-30117

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T17:30:35Z

Weaknesses