Description
FrontAccounting before 2.4.20 contains a path traversal vulnerability in the attachment upload handler that allows authenticated attackers to execute arbitrary code by uploading files with traversal sequences in the unique_name parameter. Attackers can supply path traversal sequences ../../../shell.php to write files outside the intended attachments directory into the web root, and by uploading PHP files without extension validation, achieve remote code execution as the web server user.
Published: 2026-06-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FrontAccounting versions prior to 2.4.20 contain a path traversal flaw that permits authenticated users to write files outside the intended attachments directory. By crafting the unique_name parameter with sequences such as ../../../shell.php and uploading a PHP script without proper extension validation, an attacker can place a file in the web root and execute it as the web server user, thereby achieving remote code execution.

Affected Systems

FrontAccounting installations running any release older than 2.4.20 are affected, regardless of deployment type or hosting environment.

Risk and Exploitability

The CVSS score of 8.7 marks this flaw as high severity. Because the exploit requires authenticated access and a file upload capability, attackers who can log into the system may execute arbitrary code with the privileges of the web server. The EPSS score is not available, and the flaw is not listed in CISA KEV, but the potential for widespread exploitation in environments where file uploads are enabled warrants immediate attention.

Generated by OpenCVE AI on June 29, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FrontAccounting to version 2.4.20 or later.
  • If an upgrade is not immediately possible, disable the attachment upload functionality or enforce strict file type validation to block PHP script uploads.
  • Configure the web server or .htaccess to deny execution of files in the attachments directory and restrict permissions on the web root to prevent execution of uploaded code.

Generated by OpenCVE AI on June 29, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Frontaccounting
Frontaccounting frontaccounting
Vendors & Products Frontaccounting
Frontaccounting frontaccounting

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description FrontAccounting before 2.4.20 contains a path traversal vulnerability in the attachment upload handler that allows authenticated attackers to execute arbitrary code by uploading files with traversal sequences in the unique_name parameter. Attackers can supply path traversal sequences ../../../shell.php to write files outside the intended attachments directory into the web root, and by uploading PHP files without extension validation, achieve remote code execution as the web server user.
Title FrontAccounting < 2.4.20 Path Traversal RCE via attachment upload
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Frontaccounting Frontaccounting
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T12:30:12.799Z

Reserved: 2026-04-13T20:29:02.810Z

Link: CVE-2026-40521

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T18:45:15Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')