CVE-2026-3797 - Vulnerability Details

- Tiandy Video Surveillance System 视频监控平台 CLS_REST_File.java uploadFile unrestricted upload

Description

A security vulnerability has been detected in Tiandy Video Surveillance System 视频监控平台 7.17.0. The impacted element is the function uploadFile of the file /src/com/tiandy/easy7/core/rest/CLS_REST_File.java. The manipulation of the argument fileName leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-03-09

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the uploadFile function of Tiandy Video Surveillance System 7.17.0, where the fileName argument is not properly validated, allowing arbitrary files to be uploaded from outside the device without authentication. The attack relies solely on file upload; while the CVE does not confirm execution of the payload, the ability to place files on the device could enable further malicious actions if the system processes uploaded content. This weakness corresponds to CWE-284 and CWE-434.

Affected Systems

Tiandy Video Surveillance System version 7.17.0 is affected. The vulnerability originates in the CLS_REST_File.java component. No other versions or firmware revisions are listed as impacted based on current CNA data.

Risk and Exploitability

With a CVSS score of 5.3 the risk is moderate, yet the EPSS score below 1% indicates a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack can be launched remotely from the network and does not require local privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Tiandy

Video Surveillance System 视频监控平台

affected

Version	Status	Constraints
`7.17.0`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:tiandy:video_surveillance_system_firmware:7.17.0:*:*:*:*:*:*:*

cpe:2.3:h:tiandy:video_surveillance_system:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Tiandy

Video Surveillance System

90%

Version	Status	Scheme	Platform
`7.17.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an official vendor patch or firmware upgrade that restricts file uploads to authenticated users and validates file types before processing
Configure the system to reject unknown or potentially hazardous file extensions, implementing strict MIME type checking
Restrict network access to the REST upload endpoint using firewall rules or VPN, limiting connections to trusted IP ranges

Generated by OpenCVE AI on April 16, 2026 at 10:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://my.feishu.cn/docx/P3Bgdl9BHocn66xCMpCcgCD7nhe?from=from_copylink
https://vuldb.com/?ctiid.349764
https://vuldb.com/?id.349764
https://vuldb.com/?submit.766386

History

Tue, 10 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tiandy video Surveillance System Firmware
CPEs		cpe:2.3:h:tiandy:video_surveillance_system:-:::::::* cpe:2.3:o:tiandy:video_surveillance_system_firmware:7.17.0:::::::*
Vendors & Products		Tiandy video Surveillance System Firmware

Tue, 10 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tiandy Tiandy video Surveillance System
Vendors & Products		Tiandy Tiandy video Surveillance System

Mon, 09 Mar 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in Tiandy Video Surveillance System 视频监控平台 7.17.0. The impacted element is the function uploadFile of the file /src/com/tiandy/easy7/core/rest/CLS_REST_File.java. The manipulation of the argument fileName leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Tiandy Video Surveillance System 视频监控平台 CLS_REST_File.java uploadFile unrestricted upload
Weaknesses		CWE-284 CWE-434
References		https://my.feishu.cn/docx/P3Bgdl9BHocn66xCMpCcgCD7nhe?from=from_copylink https://vuldb.com/?ctiid.349764 https://vuldb.com/?id.349764 https://vuldb.com/?submit.766386
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Tiandy Video Surveillance System Video Surveillance System Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-09T02:32:20.573Z

Updated: 2026-03-10T20:17:05.763Z

Reserved: 2026-03-08T11:23:35.419Z

Link: CVE-2026-3797

Vulnrichment

Updated: 2026-03-10T20:17:01.767Z

NVD

Status : Analyzed

Published: 2026-03-09T04:16:00.843

Modified: 2026-03-10T18:48:16.983

Link: CVE-2026-3797

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T10:30:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object