CVE-2026-36760

CVSS v3.1

9.6

Critical

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions JeeSite version 5.15.1

Description An issue in the '/a/file/upload' endpoint allows authenticated attackers with file upload permissions to perform path traversal and write arbitrary files with whitelisted suffixes to any location on the filesystem when chunked upload is enabled. This is possible via the fileMd5 parameter.

Recommendations As a temporary workaround, restrict access to the '/a/file/upload' endpoint or disable the chunked upload feature to prevent the use of the fileMd5 parameter for unauthorized file writes.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2026-36760

Affected Products

Jeesite

CVE-2026-36760

Weakness Enumeration

Related Identifiers

Affected Products

References · 10