Description
A weakness has been identified in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This vulnerability affects the function Upload of the file business/business-system/src/main/java/com/glowxq/system/admin/controller/SysFileController.java. Executing a manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-16
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted File Upload
Action: Apply Controls
AI Analysis

Impact

A weakness in the SysFileController within the glowxq-oj web application allows attackers to upload arbitrary files without server‑side validation. This flaw, identified in all releases up to commit 6f7c723090472057252040fd2bbbdaa1b5ed2393, maps to CWE‑284 (Improper Access Control) and CWE‑434 (Unrestricted Upload of File with Dangerous Type). If a malicious file is subsequently executed by the application, the attacker could achieve remote code execution or otherwise compromise confidentiality, integrity, or availability of the system.

Affected Systems

All instances of the glowxq:glowxq-oj product are impacted, as the vendor does not employ a standard versioning scheme. Because the code base up to the referenced commit is known to be vulnerable and no later release has been confirmed as fixed, any deployment of glowxq‑oj containing that commit or earlier is at risk.

Risk and Exploitability

The CVSS base score is 6.9, indicating moderate severity. The EPSS score is less than 1%, suggesting a relatively low probability of exploitation in the near term. The vulnerability is not currently listed in the CISA KEV catalog, but exploit material has been made publicly available. The attack vector is remote, exploiting the web application’s upload endpoint; achieving remote code execution depends on whether the uploaded file is executed by the application or the environment.

Generated by OpenCVE AI on March 17, 2026 at 13:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement server‑side validation of uploaded files, restricting MIME types and file size.
  • Require authentication and proper authorization on the upload endpoint.
  • Deploy a web application firewall or similar controls to detect and block malicious upload patterns.
  • Monitor application logs for unexpected file uploads and investigate suspicious activity.
  • Check the vendor’s repository or website for a commit beyond 6f7c723090472057252040fd2bbbdaa1b5ed2393 and apply it if available.

Generated by OpenCVE AI on March 17, 2026 at 13:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Glowxq
Glowxq glowxq-oj
Vendors & Products Glowxq
Glowxq glowxq-oj

Mon, 16 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This vulnerability affects the function Upload of the file business/business-system/src/main/java/com/glowxq/system/admin/controller/SysFileController.java. Executing a manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Title glowxq glowxq-oj SysFileController.java upload unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Glowxq Glowxq-oj
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-16T18:47:12.805Z

Reserved: 2026-03-15T08:36:34.330Z

Link: CVE-2026-4201

cve-icon Vulnrichment

Updated: 2026-03-16T18:47:09.399Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:20:05.070

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-4201

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:00:49Z

Weaknesses