Description
Precurio Intranet Portal 4.4 contains a cross-site request forgery vulnerability that allows attackers to induce authenticated users to submit crafted requests to a profile update endpoint handling file uploads. Attackers can exploit this to upload executable files to web-accessible locations, leading to arbitrary code execution in the context of the web server.
Published: 2026-03-20
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

Precurio Intranet Portal 4.4 contains a cross‑site request forgery flaw that lets an attacker coerce an authenticated user to submit a carefully crafted request to a profile‑update endpoint. The endpoint accepts file uploads, and if the uploaded file contains executable code the server stores it in a web‑accessible directory, enabling the attacker to run arbitrary code with web‑server privileges. This weakness maps to HTTP request forgery and insecure file‑upload categories.

Affected Systems

The only affected product listed is Precurio Intranet Portal version 4.4. No other major or minor versions are mentioned.

Risk and Exploitability

The flaw has a CVSS base score of 8.6, indicating high severity. The EPSS score is below 1 %, suggesting a low current probability of exploitation. It is not listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation requires an authenticated session that can be influenced to send a malicious file; once the file is uploaded to an executable directory, the attacker can achieve arbitrary code execution.

Generated by OpenCVE AI on April 2, 2026 at 05:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑provided patch or upgrade to a newer version of Precurio Intranet Portal that addresses the CSRF and file‑upload controls.
  • If a patch is unavailable, configure the application to reject uploads of executable file types (e.g., .php, .exe, .js) and ensure that the upload directory does not have execute permissions.
  • Verify that the profile‑update endpoint validates a CSRF token that is not transmitted via an insecure channel such as GET or other exposure.
  • Monitor server logs for abnormal upload activity and investigate any anomalies promptly.

Generated by OpenCVE AI on April 2, 2026 at 05:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Precurio precurio
CPEs cpe:2.3:a:precurio:precurio:4.4:*:*:*:*:*:*:*
Vendors & Products Precurio precurio

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
CWE-434

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
CWE-434

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
CWE-434

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
CWE-434

Wed, 25 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
CWE-434

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Precurio
Precurio precurio Intranet Portal
Vendors & Products Precurio
Precurio precurio Intranet Portal

Fri, 20 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Precurio Intranet Portal 4.4 contains a cross-site request forgery (CSRF) weakness that can allow an attacker to induce an authenticated user to submit a crafted request to a profile update endpoint that handles file uploads. If the application stores attacker-controlled content as an executable server-side file (e.g., in a web-accessible location with an executable extension), this can lead to arbitrary code execution in the context of the web server. Precurio Intranet Portal 4.4 contains a cross-site request forgery vulnerability that allows attackers to induce authenticated users to submit crafted requests to a profile update endpoint handling file uploads. Attackers can exploit this to upload executable files to web-accessible locations, leading to arbitrary code execution in the context of the web server.

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description Precurio Intranet Portal 4.4 contains a cross-site request forgery (CSRF) weakness that can allow an attacker to induce an authenticated user to submit a crafted request to a profile update endpoint that handles file uploads. If the application stores attacker-controlled content as an executable server-side file (e.g., in a web-accessible location with an executable extension), this can lead to arbitrary code execution in the context of the web server.
Title Precurio Intranet Portal 4.4: Cross-Site Request Forgery leading to arbitrary file upload
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Precurio Precurio Precurio Intranet Portal
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T14:25:22.155Z

Reserved: 2026-03-17T11:31:56.957Z

Link: CVE-2026-32989

cve-icon Vulnrichment

Updated: 2026-03-20T16:31:13.712Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T16:16:17.770

Modified: 2026-04-01T15:23:23.023

Link: CVE-2026-32989

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:32Z

Weaknesses