PT-2026-3368 · Xiweicheng · Xiweicheng Tms

Youran

Publicado

2026-01-17

Atualizado

2026-03-08

CVE-2026-1061

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions xiweicheng TMS versions prior to 2.28.0

Description An issue exists in xiweicheng TMS that allows for unrestricted file uploads. This is due to the manipulation of the filename argument within the Upload function located in the file src/main/java/com/lhjz/portal/controller/FileController.java. The attack can be initiated remotely. The exploit is publicly available.

Recommendations Update to a version later than 2.28.0. As a temporary workaround, restrict access to the Upload function in src/main/java/com/lhjz/portal/controller/FileController.java.

Exploit

Correção

Improper Access Control

Unrestricted File Upload

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-284CWE-434

Identificadores relacionados

CVE-2026-1061

Produtos afetados

Xiweicheng Tms

PT-2026-3368 · Xiweicheng · Xiweicheng Tms

CVE-2026-1061

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 10