CVE-2026-3187

LOW EPSS 22.3%
Published Feb 25, 20264mo ago · Modified Jun 17, 20261w ago
2.1 CVSS 4.0
Low
Find Similar
Published Feb 25, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

A vulnerability was identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this issue is some unknown functionality of the file /api/admin/sys-file/upload of the component API Endpoint. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 1.3.3-beta can resolve this issue. The name of the patch is aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is recommended. The project was informed beforehand and acted very professional: "We have introduced a whitelist restriction on the /api/admin/sys-file/upload endpoint via the oss.allowedExts and oss.allowedMimeTypes configuration options, allowing the specification of permitted file extensions and MIME types for uploads."

CVSS Details

Base Score
2.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
22.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-284
CWE-434 Unrestricted Upload of File with Dangerous Type Resource Mgmt

Affected Products 15

VendorProductVersionRange
szadminsz-boot-parent* ≤0.9.0
szadminsz-boot-parent1.0.0any
szadminsz-boot-parent1.0.1any
szadminsz-boot-parent1.0.2any
szadminsz-boot-parent1.1.0any
szadminsz-boot-parent1.2.0any
szadminsz-boot-parent1.2.1any
szadminsz-boot-parent1.2.2any
szadminsz-boot-parent1.2.3any
szadminsz-boot-parent1.2.4any
szadminsz-boot-parent1.2.5any
szadminsz-boot-parent1.2.6any
szadminsz-boot-parent1.3.0any
szadminsz-boot-parent1.3.1any
szadminsz-boot-parent1.3.2any

References 7

  • github.com https://github.com/feiyuchuixue/sz-boot-parent/
    Product
  • github.com https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802
    Patch
  • github.com https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta
    Release Notes
  • github.com https://github.com/yuccun/CVE/blob/main/sz-boot-parent-Arbitrary_File_Upload.md
    ExploitThird Party Advisory
  • vuldb.com https://vuldb.com/?ctiid.347745
    Permissions RequiredVDB Entry
  • vuldb.com https://vuldb.com/?id.347745
    Third Party AdvisoryVDB Entry
  • vuldb.com https://vuldb.com/?submit.754038
    Third Party AdvisoryVDB Entry

Remediation

  • github.com https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802
    Patch