Description
The a+HCM developed by aEnrich has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload arbitrary files to any path, including HTML documents, which may result in a XSS-like effect.
Published: 2026-04-22
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote file upload with potential XSS
Action: Patch
AI Analysis

Impact

The a+HCM application by aEnrich suffers from an arbitrary file upload flaw that allows unauthenticated remote attackers to upload any file to any path on the server, including files with HTML extensions. This flaw is classified as CWE‑434. The ability to place arbitrary files, especially executable or HTML files, could lead to cross‑site scripting or other content‑injection attacks, potentially compromising the confidentiality, integrity, or availability of the application or the data it serves.

Affected Systems

Affected customers are those running the a+HCM product from aEnrich. The advisory does not list specific vulnerable versions, so all installations that have not applied the vendor’s recommended update may be vulnerable. An inventory check is advised to determine the current version and exposure.

Risk and Exploitability

The CVSS base score of 5.1 indicates a moderate risk level. EPSS is not available, so the likelihood of exploitation is unclear, and the vulnerability is not currently listed in the CISA KEV catalog. Remote attackers can exploit the flaw without authentication, suggesting that the vulnerability should be prioritized for patching or mitigation.

Generated by OpenCVE AI on April 22, 2026 at 06:07 UTC.

Remediation

Vendor Solution

Please refer to the aEnrich advisory to upgrade to version 6.8 or later and install the latest patches, or contact aEnrich customer service for assistance.

OpenCVE Recommended Actions

  • Upgrade a+HCM to version 6.8 or later and apply any vendor patches.
  • If an upgrade is not possible, install the latest patches provided by aEnrich and consider disabling the file upload feature.
  • Add server‑side validation to reject disallowed file types and restrict upload destinations to secure directories.
  • Monitor logs for unusual upload activity.

Generated by OpenCVE AI on April 22, 2026 at 06:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Aenrich
Aenrich a+hcm
Vendors & Products Aenrich
Aenrich a+hcm

Wed, 22 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description The a+HCM developed by aEnrich has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload arbitrary files to any path, including HTML documents, which may result in a XSS-like effect.
Title aEnrich|a+HCM - Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Aenrich A+hcm
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-04-22T12:40:07.869Z

Reserved: 2026-04-22T02:48:35.815Z

Link: CVE-2026-6835

cve-icon Vulnrichment

Updated: 2026-04-22T12:39:16.136Z

cve-icon NVD

Status : Received

Published: 2026-04-22T04:16:09.560

Modified: 2026-04-22T04:16:09.560

Link: CVE-2026-6835

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:49Z

Weaknesses