CVE-2026-2146

Name of the Vulnerable Software and Affected Versions guchengwuyue yshopmall versions up to 1.9.1

Description A security flaw exists in guchengwuyue yshopmall up to version 1.9.1. The issue is related to unrestricted upload, stemming from manipulation of the File argument within the updateAvatar function located in the file '/api/users/updateAvatar' of the co.yixiang.utils.FileUtil component. This allows for remote exploitation. The exploit has been publicly released. The project maintainers were notified of the issue but have not yet responded.

Recommendations Versions prior to 1.9.1 should be used. As a temporary workaround, consider restricting file upload capabilities until a patch is available.