CVE-2026-36760 - Vulnerability Details

- Authenticated File Upload Path Traversal Allowing Arbitrary File Creation in JeeSite 5.15.1

Description

An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations while chunked upload is enabled.

Published: 2026-04-30

Score: 9.6 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the fileMd5 parameter of the /a/file/upload endpoint in JeeSite 5.15.1. Authenticated users with file‑upload permissions can exploit a path traversal flaw to write arbitrary files that have whitelisted suffixes to any location on the server when chunked upload is enabled. This allows an attacker to overwrite application files or place malicious scripts, potentially enabling remote code execution or unauthorized configuration changes. The weakness corresponds to a path traversal error (CWE‑22).

Affected Systems

The flaw is present in installations of JeeSite version 5.15.1 that expose the /a/file/upload endpoint and allow authenticated file uploads while chunked upload is enabled. No other JeeSite versions or products are indicated as affected.

Risk and Exploitability

Exploitation requires the attacker to be authenticated and possess file‑upload rights, so the attack surface is limited to privileged users. Nevertheless, the ability to write to arbitrary disk locations enables modifying critical code or deploying web shells. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 9.6 indicates high risk, and the potential to tamper with application files. No public exploit has been reported yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Thinkgem

Jeesite

80%

Version	Status	Scheme	Platform
`5.15.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official JeeSite patch or upgrade to a version that resolves the /a/file/upload path traversal flaw.
Disable chunked file uploads until the vulnerability is fixed, or restrict the endpoint to a dedicated upload bucket that prevents traversal.
Limit file‑upload permissions to the minimal set of users required for business operations and enforce server‑side checks that reject any destination paths containing traversal characters.
Add explicit path sanitization logic to the upload handler so that all file write operations are confined to a safe directory structure.

Generated by OpenCVE AI on May 2, 2026 at 00:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00051.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/thinkgem/jeesite
https://github.com/thinkgem/jeesite/issues/530

History

Sat, 02 May 2026 00:45:00 +0000

Type	Values Removed	Values Added
Title		Authenticated File Upload Path Traversal Allowing Arbitrary File Creation in JeeSite 5.15.1

Thu, 30 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 30 Apr 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Thinkgem Thinkgem jeesite
Vendors & Products		Thinkgem Thinkgem jeesite

Thu, 30 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-22
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}`

Thu, 30 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations while chunked upload is enabled.
References		https://github.com/thinkgem/jeesite https://github.com/thinkgem/jeesite/issues/530

Subscriptions

Thinkgem Jeesite

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-30T00:00:00.000Z

Updated: 2026-04-30T17:50:04.241Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36760

Vulnrichment

Updated: 2026-04-30T17:47:51.526Z

NVD

Status : Deferred

Published: 2026-04-30T17:16:26.050

Modified: 2026-04-30T18:16:28.927

Link: CVE-2026-36760

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T00:30:16Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object