Description
Mothra would respect a default value given by a website for HTML file upload forms. An attacker could craft a website with a malicious default file path, and then conceal this form element.
Published: 2026-05-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mothra naïvely accepts a default value supplied by a website for the path field in HTML file upload forms. An attacker can craft a page with a malicious default file path, hide the form element, and cause the user’s browser to submit a file to that path. This lack of validation enables the attacker to overwrite arbitrary files, potentially compromising the integrity of the system and enabling execution of harmful code. The weakness is a form of unchecked input handling, consistent with path‑traversal or improper validation of default values for file uploads.

Affected Systems

The vulnerable component is part of the 9front operating system, specifically the Mothra viewer. No specific version information is supplied in the advisory, so all releases of 9front that include Mothra are potentially affected until a patch is provided.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of < 1% indicates a very low probability of exploitation. Safeguards are not currently listed in CISA’s KEV catalog. The likely attack vector requires an unsuspecting user to load a malicious web page that prompts the upload form; the user’s interaction is necessary for the payload to be written to the chosen location. The vulnerability could lead to unauthorized file modification and potential code execution, depending on the target file’s role in the system.

Generated by OpenCVE AI on May 22, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest 9front release that contains the Mothra fix once it becomes available
  • Review and sanitize any default file path values before submitting an upload form to Mothra
  • Restrict or disable the use of HTML file upload forms in Mothra when interacting with unknown or untrusted sites

Generated by OpenCVE AI on May 22, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Mothra Default Path Upload Exploit

Fri, 22 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Mothra Default File Path Bypass in HTML Upload Forms
Weaknesses CWE-22

Fri, 22 May 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 04:45:00 +0000

Type Values Removed Values Added
Title Mothra Default File Path Bypass in HTML Upload Forms
First Time appeared 9front
9front 9front
Weaknesses CWE-22
Vendors & Products 9front
9front 9front

Fri, 22 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description Mothra would respect a default value given by a website for HTML file upload forms. An attacker could craft a website with a malicious default file path, and then conceal this form element.
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/AU:N/R:A/RE:L/U:Amber'}

Subscriptions

9front 9front
cve-icon MITRE

Status: PUBLISHED

Assigner: 9front

Published:

Updated: 2026-05-22T12:36:11.446Z

Reserved: 2026-05-19T21:39:13.119Z

Link: CVE-2026-9053

cve-icon Vulnrichment

Updated: 2026-05-22T12:25:29.106Z

cve-icon NVD

Status : Received

Published: 2026-05-22T04:16:28.430

Modified: 2026-05-22T04:16:28.430

Link: CVE-2026-9053

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T17:30:06Z

Weaknesses