PT-2026-21912 · Feiyuchuixue · Sz-Boot-Parent

Yuccun

Published

2026-02-25

Updated

2026-02-25

CVE-2026-3187

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions feiyuchuixue sz-boot-parent versions up to 1.3.2-beta

Description A flaw exists in feiyuchuixue sz-boot-parent that allows for unrestricted file uploads. This issue is related to the functionality of the /api/admin/sys-file/upload API endpoint. The attack can be initiated remotely and an exploit is publicly available. The project developers addressed the issue by implementing a whitelist restriction on the /api/admin/sys-file/upload endpoint using the oss.allowedExts and oss.allowedMimeTypes configuration options, which allow specifying permitted file extensions and MIME types for uploads.

Recommendations Upgrade to version 1.3.3-beta.

Exploit

Fix

Improper Access Control

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-434

Related Identifiers

CVE-2026-3187

Affected Products

Sz-Boot-Parent

PT-2026-21912 · Feiyuchuixue · Sz-Boot-Parent

CVE-2026-3187

Weakness Enumeration

Related Identifiers

Affected Products

References · 10