CVE-2026-5427

Name of the Vulnerable Software and Affected Versions Kubio versions prior to 2.7.3

Description Insufficient capability checks in the kubio rest pre insert import assets() function, which is hooked to the rest pre insert {post type} filter for posts, pages, templates, and template parts, allow for arbitrary file upload. When a post is created or updated via the REST API, the software parses block attributes for URLs in the kubio attribute namespace and automatically imports them via importRemoteFile() without verifying if the user possesses the upload files capability. This allows authenticated attackers with Contributor-level access or higher to bypass standard media upload restrictions and upload files from external URLs to the media library, creating attachment posts in the database.

Recommendations Update to a version newer than 2.7.2.