CVE-2026-2684
Received Received - Intake
Unrestricted File Upload Vulnerability in Tsinghua Unigroup Archives

Publication date: 2026-02-19

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). The impacted element is an unknown function of the file /Archive/ErecordManage/uploadFile.html. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2684
EUVD
EUVD-2026-7628
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unigroup electronic_archives_system to 3.2.210802(62532 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

Exploiting this vulnerability can lead to severe impacts including full system compromise. An attacker can execute arbitrary code, tamper with data, and deploy persistent backdoors.

Because the file upload is unrestricted and requires no authentication, attackers can easily exploit this flaw remotely, threatening the confidentiality, integrity, and availability of the affected system.

Compliance Impact

I don't know

Detection Guidance

Vulnerable targets can be identified using Google dorking with the query: inurl:Archive/ErecordManage/uploadFile.html.

Since the vulnerability involves unrestricted file upload via the File argument in /Archive/ErecordManage/uploadFile.html, detection can involve monitoring HTTP requests to this endpoint for suspicious file upload attempts.

No specific detection commands are publicly provided, but network monitoring tools can be configured to alert on POST requests to /Archive/ErecordManage/uploadFile.html containing file upload data.

Executive Summary

CVE-2026-2684 is a critical vulnerability in the Tsinghua Unigroup Electronic Archives System up to version 3.2.210802(62532). It affects the file /Archive/ErecordManage/uploadFile.html, where improper handling of the File argument allows an attacker to perform unrestricted file uploads remotely without authentication.

This means an attacker can upload arbitrary files, potentially including malicious ones, to the system. The vulnerability corresponds to CWE-434 (Unrestricted File Upload) and can be exploited remotely, making it highly accessible.

Mitigation Strategies

No known countermeasures or mitigations are currently available from the vendor, as they did not respond to early disclosure attempts.

Immediate steps include restricting access to the vulnerable upload endpoint, such as by network segmentation, firewall rules, or disabling the upload functionality if possible.

Monitoring and blocking suspicious file upload attempts and applying strict input validation or file type restrictions if you have control over the system are recommended.

Since a proof-of-concept exploit is publicly available, urgent attention to access control and monitoring is critical to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2684. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart