Description
A vulnerability was identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this issue is some unknown functionality of the file /api/admin/sys-file/upload of the component API Endpoint. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 1.3.3-beta can resolve this issue. The name of the patch is aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is recommended. The project was informed beforehand and acted very professional: "We have introduced a whitelist restriction on the /api/admin/sys-file/upload endpoint via the oss.allowedExts and oss.allowedMimeTypes configuration options, allowing the specification of permitted file extensions and MIME types for uploads."
Published: 2026-02-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted File Upload enabling potential data tampering
Action: Immediate Patch
AI Analysis

Impact

A flaw in the /api/admin/sys-file/upload endpoint allows any user to upload files without validation of type or extension. This creates a risk that malicious content can be stored on the server and later processed, potentially leading to data tampering or unauthorized disclosure. The weakness is classified as an improper access control and unrestricted file upload.

Affected Systems

The vulnerability exists in the feiyuchuixue sz-boot-parent project up to version 1.3.2-beta. All releases before the patched 1.3.3-beta are affected; the issue was identified in the repository and the fix is available on the stated commit and release tag.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate impact, and the EPSS score of less than 1% shows a very low probability of exploitation, although public exploit code is available. Based on the description, the attack vector is inferred to be remote; attackers can remotely trigger the upload if the endpoint is reachable. The vulnerability is not listed in the CISA KEV catalog. The patch addresses the problem by implementing whitelist limits on allowed extensions and MIME types.

Generated by OpenCVE AI on April 18, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade feiyuchuixue sz-boot-parent to v1.3.3-beta as released on GitHub.
  • If immediate upgrade is not possible, configure oss.allowedExts and oss.allowedMimeTypes to restrict acceptable file extensions and MIME types on the /api/admin/sys-file/upload endpoint.
  • Deploy network-level filtering or application gateway rules to block access to the upload endpoint from untrusted IPs, and monitor upload activity for anomalies.

Generated by OpenCVE AI on April 18, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Szadmin
Szadmin sz-boot-parent
CPEs cpe:2.3:a:szadmin:sz-boot-parent:*:*:*:*:*:*:*:*
cpe:2.3:a:szadmin:sz-boot-parent:1.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:szadmin:sz-boot-parent:1.0.1:beta:*:*:*:*:*:*
cpe:2.3:a:szadmin:sz-boot-parent:1.0.2:beta:*:*:*:*:*:*
cpe:2.3:a:szadmin:sz-boot-parent:1.1.0:beta:*:*:*:*:*:*
cpe:2.3:a:szadmin:sz-boot-parent:1.2.0:beta:*:*:*:*:*:*
cpe:2.3:a:szadmin:sz-boot-parent:1.2.1:beta:*:*:*:*:*:*
cpe:2.3:a:szadmin:sz-boot-parent:1.2.2:beta:*:*:*:*:*:*
cpe:2.3:a:szadmin:sz-boot-parent:1.2.3:beta:*:*:*:*:*:*
cpe:2.3:a:szadmin:sz-boot-parent:1.2.4:beta:*:*:*:*:*:*
cpe:2.3:a:szadmin:sz-boot-parent:1.2.5:beta:*:*:*:*:*:*
cpe:2.3:a:szadmin:sz-boot-parent:1.2.6:beta:*:*:*:*:*:*
cpe:2.3:a:szadmin:sz-boot-parent:1.3.0:beta:*:*:*:*:*:*
cpe:2.3:a:szadmin:sz-boot-parent:1.3.1:beta:*:*:*:*:*:*
cpe:2.3:a:szadmin:sz-boot-parent:1.3.2:beta:*:*:*:*:*:*
Vendors & Products Szadmin
Szadmin sz-boot-parent

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Feiyuchuixue
Feiyuchuixue sz-boot-parent
Vendors & Products Feiyuchuixue
Feiyuchuixue sz-boot-parent

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this issue is some unknown functionality of the file /api/admin/sys-file/upload of the component API Endpoint. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 1.3.3-beta can resolve this issue. The name of the patch is aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is recommended. The project was informed beforehand and acted very professional: "We have introduced a whitelist restriction on the /api/admin/sys-file/upload endpoint via the oss.allowedExts and oss.allowedMimeTypes configuration options, allowing the specification of permitted file extensions and MIME types for uploads."
Title feiyuchuixue sz-boot-parent API Endpoint upload unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Feiyuchuixue Sz-boot-parent
Szadmin Sz-boot-parent
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-25T20:55:38.723Z

Reserved: 2026-02-25T08:32:10.390Z

Link: CVE-2026-3187

cve-icon Vulnrichment

Updated: 2026-02-25T20:55:34.156Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T15:20:55.277

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3187

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses