Description
A flaw has been found in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. The affected element is the function do_POST of the file backend/server.py. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted Upload
Action: Assess Impact
AI Analysis

Impact

A flaw was discovered in the do_POST function of PromtEngineer localGPT’s backend/server.py. The function allows files to be uploaded without any access control or file‑type validation checks, and the CVE notes that the exploit can be carried out remotely and has already been published. Because an attacker can place arbitrary files on the server, this could potentially lead to the execution of malicious code, loss of confidentiality, or disruption of service – the severity aligns with CWE‑284 (Improper Access Control) and CWE‑434 (Unrestricted Upload of File).

Affected Systems

The affected product is PromtEngineer localGPT, with the vulnerability present in all code versions up to commit 4d41c7d1713b16b216d8e062e51a5dd88b20b054. The project uses a rolling‑release model, so a specific fixed version is not indicated, and any deployment that has not been updated after this commit is considered vulnerable.

Risk and Exploitability

With a CVSS score of 6.9 the issue is rated moderate to high severity. An EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The description states that the attack can be performed remotely, and an exploit has already been issued, meaning that an attacker could send a crafted POST request to the upload endpoint from an external network. The lack of a publicly offered mitigation from the vendor suggests that the risk remains until a new release or other containment measures are applied.

Generated by OpenCVE AI on March 28, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check PromtEngineer’s repository or vendor site for a newer release that addresses the upload function and apply the update as soon as possible.
  • If no update is available, restrict the upload endpoint to authenticated users only and implement a file‑type whitelist to prevent arbitrary uploads.
  • Place all accepted uploads in a directory where execution is disabled and ensure the web server is configured to serve files from that location as static content only.
  • Monitor server access logs for unusual POST traffic to the upload path and investigate any suspicious activity.

Generated by OpenCVE AI on March 28, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Promtengineer
Promtengineer localgpt
Vendors & Products Promtengineer
Promtengineer localgpt

Sat, 28 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. The affected element is the function do_POST of the file backend/server.py. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
Title PromtEngineer localGPT server.py do_POST unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Promtengineer Localgpt
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-30T14:38:48.529Z

Reserved: 2026-03-27T13:48:24.504Z

Link: CVE-2026-5001

cve-icon Vulnrichment

Updated: 2026-03-30T14:38:45.251Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-28T16:15:58.260

Modified: 2026-03-30T13:26:07.647

Link: CVE-2026-5001

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:59:01Z

Weaknesses