Description
A security flaw has been discovered in PbootCMS up to 3.2.12. This affects an unknown function of the file core/function/file.php of the component File Upload. The manipulation of the argument black results in incomplete blacklist. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-03-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability lies in the File Upload component of PbootCMS up to version 3.2.12, where manipulation of the black argument bypasses a file type blacklist. This flaw enables an attacker to upload files that may be executed by the web application, potentially leading to remote code execution and compromising system integrity.

Affected Systems

All installations of PbootCMS that are version 3.2.12 or earlier are affected. The CNA vendor/product list specifies only PbootCMS, and no more granular version data is available beyond the stated maximum release.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate risk. EPSS data is unavailable and the flaw is not listed in the CISA KEV catalog, suggesting it may not yet be widely exploited, yet an exploit has been released publicly and can be launched remotely. The flaw is classified as CWE‑183 and CWE‑184, pointing to incomplete validation and improper input handling.

Generated by OpenCVE AI on March 21, 2026 at 07:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PbootCMS to the latest released version where the file upload blacklist issue is resolved
  • If an immediate upgrade is not possible, restrict the web server so that uploaded files cannot be executed by setting restrictive permissions and disabling script execution in the upload directory
  • Verify and enhance the server‑side validation of the black parameter to accept only known safe file extensions
  • Monitor web server logs for abnormal upload attempts and investigate suspicious activity
  • Consider deploying a Web Application Firewall that blocks dangerous file uploads and enforces strict content type checks

Generated by OpenCVE AI on March 21, 2026 at 07:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 21 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in PbootCMS up to 3.2.12. This affects an unknown function of the file core/function/file.php of the component File Upload. The manipulation of the argument black results in incomplete blacklist. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Title PbootCMS File Upload file.php incomplete blacklist
First Time appeared Pbootcms
Pbootcms pbootcms
Weaknesses CWE-183
CWE-184
CPEs cpe:2.3:a:pbootcms:pbootcms:*:*:*:*:*:*:*:*
Vendors & Products Pbootcms
Pbootcms pbootcms
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Pbootcms Pbootcms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-24T14:04:06.713Z

Reserved: 2026-03-20T14:25:50.786Z

Link: CVE-2026-4509

cve-icon Vulnrichment

Updated: 2026-03-24T14:04:00.413Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T06:16:14.160

Modified: 2026-03-23T14:31:37.267

Link: CVE-2026-4509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:41:19Z

Weaknesses