Description
A vulnerability was detected in crmeb_java up to 1.3.4. This vulnerability affects unknown code of the file crmeb/crmeb-service/src/main/java/com/zbkj/service/service/impl/UploadServiceImpl.java of the component Admin Upload. Performing a manipulation of the argument model results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-03
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw appears in the crmeb_java Admin Upload component within UploadServiceImpl.java. By manipulating the model argument, an attacker can bypass the component’s file‑type checks and upload any file, including executable payloads, which may lead to remote code execution or other critical compromise of the affected system.

Affected Systems

All installations of crmeb_java version 1.3.4 and earlier are affected; the vulnerability resides in the Admin Upload service within the crmeb-service module.

Risk and Exploitability

With a CVSS score of 5.1 this vulnerability is rated medium severity. The EPSS score is not available, but public exploit code exists, indicating that the chance of real‑world exploitation is non‑negligible. The reason the vulnerability can be abused is the lack of proper access control (CWE‑284) and unfiltered file uploads (CWE‑434), allowing an attacker to upload damaging files from a remote web request. The vulnerability is not listed in the CISA KEV catalog at this time.

Generated by OpenCVE AI on May 3, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade crmeb_java to any version newer than 1.3.4 that implements proper upload validation.
  • If no patch is available, enforce strict content‑type checks and block uploads of dangerous file extensions such as .php, .exe, or .sh.
  • Apply additional server‑side validation to reject files with executable MIME types or disallowed extensions, and store uploaded files outside of web‑root where possible.

Generated by OpenCVE AI on May 3, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 02:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in crmeb_java up to 1.3.4. This vulnerability affects unknown code of the file crmeb/crmeb-service/src/main/java/com/zbkj/service/service/impl/UploadServiceImpl.java of the component Admin Upload. Performing a manipulation of the argument model results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title crmeb_java Admin Upload UploadServiceImpl.java unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-03T01:15:37.395Z

Reserved: 2026-05-02T08:22:46.654Z

Link: CVE-2026-7673

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-03T02:17:12.537

Modified: 2026-05-03T02:17:12.537

Link: CVE-2026-7673

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T03:30:05Z

Weaknesses