Description
A weakness has been identified in Bytedesk up to 1.3.9. This vulnerability affects the function handleFileUpload of the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestService.java of the component SVG File Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 1.4.5.1 is able to resolve this issue. This patch is called 975e39e4dd527596987559f56c5f9f973f64eff7. It is recommended to upgrade the affected component.
Published: 2026-03-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted File Upload
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in the handleFileUpload method of Bytedesk's SVG File Handler. The code does not validate file types or enforce access control, allowing attackers to upload any file, including malicious code. This can compromise the application's integrity, and the impact depends on the content of the uploaded files and subsequent interactions with the system.

Affected Systems

Bytedesk web application versions 1.3.9 and earlier are affected. The developers released version 1.4.5.1, which applies the fix. No other vendors or product variants are mentioned.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity, with an EPSS of less than 1% suggesting low but non‑zero exploitation probability. The vulnerability is accessible remotely via the upload endpoint and is not listed in the KEV catalog. Because the exploit code is publicly available, attackers with web access to the application could upload a crafted SVG or other file type to trigger the vulnerability.

Generated by OpenCVE AI on April 16, 2026 at 10:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bytedesk to v1.4.5.1 or later.
  • Disable or restrict the file upload endpoint to accept only trusted file types.
  • Add server‑side validation to reject non‑SVG files and scan uploaded files for embedded scripts.

Generated by OpenCVE AI on April 16, 2026 at 10:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bytedesk:bytedesk:*:*:*:*:*:*:*:*

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Bytedesk
Bytedesk bytedesk
Vendors & Products Bytedesk
Bytedesk bytedesk

Sun, 08 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Bytedesk up to 1.3.9. This vulnerability affects the function handleFileUpload of the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestService.java of the component SVG File Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 1.4.5.1 is able to resolve this issue. This patch is called 975e39e4dd527596987559f56c5f9f973f64eff7. It is recommended to upgrade the affected component.
Title Bytedesk SVG File UploadRestService.java handleFileUpload unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Bytedesk Bytedesk
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-11T19:39:49.199Z

Reserved: 2026-03-07T20:23:08.679Z

Link: CVE-2026-3749

cve-icon Vulnrichment

Updated: 2026-03-11T19:39:46.277Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-08T16:16:02.260

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:45:26Z

Weaknesses