Description
The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. In version 1.2.0 and prior, the quickUpload() endpoint validates uploaded files by checking their MIME type (via PHP's finfo, which inspects file contents) but constructs the stored filename using the client-supplied file extension from getClientOriginalExtension(). These two checks are independent: an attacker can upload a file whose content passes the MIME allowlist while using a .php extension. The file is stored on the public disk and is directly accessible via URL, allowing server-side code execution. At time of publication no known patches exist.
Published: 2026-04-02
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Mitigate
AI Analysis

Impact

The vulnerability lies in the Hytale Modding Wiki’s quickUpload endpoint, which validates uploaded files only by inspecting MIME type with PHP’s finfo library. However, the filename stored on disk is built from the client‑supplied file extension without cross‑checking the MIME type against that extension. An attacker can therefore upload a file whose contents satisfy the allowed MIME type but whose extension is .php. The file is written to a publicly accessible directory and can be executed as PHP code, giving the attacker full remote code execution on the server. This is a type‑of‑upload‑vulnerability categorized as CWE‑434, capable of compromising confidentiality, integrity, and availability of the host system.

Affected Systems

The flaw affects the Hytale Modding Wiki service, which hosts documentation and wikis for Hytale mods. Versions 1.2.0 and earlier are vulnerable, and no official patch has been released at the time of this advisory.

Risk and Exploitability

With a CVSS score of 8.7 the vulnerability is considered High. No EPSS score is available and the issue is not listed in CISA’s KEV catalog. The likely attack vector is remote via the public file‑upload API; the attacker only needs to supply a file that passes the MIME check while naming it with a .php extension. If the public upload directory allows execution of PHP files, the attacker immediately achieves remote code execution, which can lead to full system compromise.

Generated by OpenCVE AI on April 2, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact the Hytale Modding support team to request an urgent fix or an update for the affected service.
  • Modify the upload handling logic to reject or block files with executable extensions such as .php, .phtml, or .exe.
  • Remove execute permissions from the directory where uploaded files are stored, ensuring only static content can be served.
  • Configure the web server to disable PHP execution in the upload directory (e.g., via .htaccess or server configuration).
  • Enforce a strict whitelist of allowed file extensions (e.g., .jpg, .png, .md) for all uploads.
  • Enable detailed logging of file‑upload activities and regularly review logs for anomalous files.
  • If an immediate fix cannot be applied, consider temporarily disabling the quickUpload endpoint or relocating the wiki to a host with hardened file‑serve settings.

Generated by OpenCVE AI on April 2, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Hytalemodding
Hytalemodding wiki
Vendors & Products Hytalemodding
Hytalemodding wiki

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. In version 1.2.0 and prior, the quickUpload() endpoint validates uploaded files by checking their MIME type (via PHP's finfo, which inspects file contents) but constructs the stored filename using the client-supplied file extension from getClientOriginalExtension(). These two checks are independent: an attacker can upload a file whose content passes the MIME allowlist while using a .php extension. The file is stored on the public disk and is directly accessible via URL, allowing server-side code execution. At time of publication no known patches exist.
Title Hytale Modding Vulnerable to Remote Code Execution via File Upload Bypass in `FileController`
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Hytalemodding Wiki
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T19:14:04.735Z

Reserved: 2026-03-30T18:41:20.754Z

Link: CVE-2026-34735

cve-icon Vulnrichment

Updated: 2026-04-02T19:14:00.137Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T19:21:32.723

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-34735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:16:48Z

Weaknesses