Description
A vulnerability was identified in kalcaddle kodbox 1.64. This issue affects the function Add of the file app/controller/explorer/userShare.class.php of the component Public Share Handler. Such manipulation leads to unrestricted upload. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-26
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted file upload enabling privilege escalation
Action: Assess Impact
AI Analysis

Impact

A flaw in the Add method of the Public Share Handler in Kalcaddle Kodbox 1.64 allows an attacker to upload files with no restrictions on type or size. Because the application does not enforce proper access control, any uploaded file can be accessed by privileged components or subsequently executed, potentially raising the attacker's privileges within the system. The vulnerability is classified under CWE‑284 (Improper Access Control) and CWE‑434 (Unrestricted Upload of File with Dangerous Type).

Affected Systems

Vulnerability affects the Kalcaddle Kodbox file sharing component in version 1.64. The code change is located in app/controller/explorer/userShare.class.php, specifically the Add function within the Public Share module. Only installations running that exact version are impacted; there is no information on newer releases providing a fix.

Risk and Exploitability

The CVSS score of 6.3 denotes a moderate severity. No EPSS score is available, and the defect is not listed in the CISA KEV catalog. Attackers can trigger the vulnerability remotely by sending a crafted HTTP request to the Public Share endpoint, provided the service is reachable. The description notes that exploitation is complex and difficult, yet publicly available exploits exist, which increases concern. Because the vendor has not released a patch, the risk remains until a fix or workaround is applied.

Generated by OpenCVE AI on March 26, 2026 at 04:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor website or support channels for an updated version or patch for Kodbox 1.64
  • Disable or remove the Public Share Handler feature if not required in your deployment
  • Implement server‑side validation to allow only safe file types (e.g., restrict to specific MIME types and file extensions) and enforce strict size limits
  • Deploy a web application firewall or equivalent controls to monitor and block suspicious upload attempts
  • Regularly scan the upload directory for malicious files and quarantine or delete any suspicious contents

Generated by OpenCVE AI on March 26, 2026 at 04:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Kalcaddle
Kalcaddle kodbox
Vendors & Products Kalcaddle
Kalcaddle kodbox

Thu, 26 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in kalcaddle kodbox 1.64. This issue affects the function Add of the file app/controller/explorer/userShare.class.php of the component Public Share Handler. Such manipulation leads to unrestricted upload. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title kalcaddle kodbox Public Share userShare.class.php add privilege escalation
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 5.1, 'vector': 'AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Kalcaddle Kodbox
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-28T02:04:09.214Z

Reserved: 2026-03-25T14:11:29.830Z

Link: CVE-2026-4830

cve-icon Vulnrichment

Updated: 2026-03-28T02:04:04.945Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T01:16:28.193

Modified: 2026-03-30T13:26:50.827

Link: CVE-2026-4830

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:08:59Z

Weaknesses