CVE-2025-9795

Name of the Vulnerable Software and Affected Versions xujeff tianti 天梯 versions prior to 2.3

Description A vulnerability exists in xujeff tianti 天梯 that allows for unrestricted file uploads. The issue is located in the ajaxUploadFile() function within the src/main/java/com/jeff/tianti/controller/UploadController.java file. The upfile argument can be manipulated to achieve this. The exploit has been publicly disclosed and may be used remotely.

Recommendations Versions prior to 2.3: Update to version 2.3 or later. As a temporary workaround, restrict access to the ajaxUploadFile() function until a patch is available.