PT-2026-29870 · Hytale · Hytale
Liamsystems
·
Published
2026-04-02
·
Updated
2026-04-03
·
CVE-2026-34735
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Hytale versions 1.2.0 and prior
Description
The Hytale Modding Wiki allows server-side code execution through the
quickUpload() API endpoint. The endpoint validates uploaded files by checking their MIME type using PHP's finfo function, which inspects file contents. However, the stored filename is constructed using the client-supplied file extension from getClientOriginalExtension(). These checks are independent, allowing an attacker to upload a file with content that passes the MIME allowlist but uses a .php extension. The file is stored on the public disk and is directly accessible via URL.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hytale