CVE-2026-3187
Awaiting Analysis Awaiting Analysis - Queue
Unrestricted File Upload Vulnerability in sz-boot-parent API Endpoint

Publication date: 2026-02-25

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this issue is some unknown functionality of the file /api/admin/sys-file/upload of the component API Endpoint. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 1.3.3-beta can resolve this issue. The name of the patch is aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is recommended. The project was informed beforehand and acted very professional: "We have introduced a whitelist restriction on the /api/admin/sys-file/upload endpoint via the oss.allowedExts and oss.allowedMimeTypes configuration options, allowing the specification of permitted file extensions and MIME types for uploads."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-02-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-3187
EUVD
EUVD-2026-8659
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
szadmin sz-boot-parent to 0.9.0 (inc)
szadmin sz-boot-parent 1.0.0
szadmin sz-boot-parent 1.0.1
szadmin sz-boot-parent 1.0.2
szadmin sz-boot-parent 1.1.0
szadmin sz-boot-parent 1.2.0
szadmin sz-boot-parent 1.2.1
szadmin sz-boot-parent 1.2.2
szadmin sz-boot-parent 1.2.3
szadmin sz-boot-parent 1.2.4
szadmin sz-boot-parent 1.2.5
szadmin sz-boot-parent 1.2.6
szadmin sz-boot-parent 1.3.0
szadmin sz-boot-parent 1.3.1
szadmin sz-boot-parent 1.3.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-3187 is an unrestricted file upload vulnerability found in the feiyuchuixue sz-boot-parent project, specifically affecting versions up to 1.3.2-beta. The issue exists in the API endpoint /api/admin/sys-file/upload, where insufficient validation and filtering of uploaded files allows attackers to upload arbitrary and potentially dangerous files without restriction.

This flaw enables unauthorized remote attackers to upload files such as HTML or executable files, which can lead to further malicious activities like remote code execution.

The vulnerability is addressed by upgrading to version 1.3.3-beta, which introduces whitelist restrictions on allowed file extensions and MIME types via configuration options.


How can this vulnerability impact me? :

This vulnerability can have serious impacts including unauthorized remote code execution, which compromises the confidentiality, integrity, and availability of the affected system.

Attackers can exploit the unrestricted file upload to place malicious files on the server, potentially leading to system takeover, data breaches, or service disruption.

Because the exploit is publicly available and the attack can be launched remotely, the risk of exploitation is significant if the system is not updated.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability involves unrestricted file upload via the API endpoint /api/admin/sys-file/upload in the sz-boot-parent project up to version 1.3.2-beta. Detection can focus on monitoring or testing this endpoint for unauthorized file uploads, especially files with dangerous extensions or MIME types.'}, {'type': 'paragraph', 'content': 'You can attempt to detect exploitation by sending test upload requests to the vulnerable endpoint with various file types and observing if uploads are accepted without proper validation.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to attempt file uploads to the endpoint, for example: curl -F "[email protected]" http://target/api/admin/sys-file/upload'}, {'type': 'list_item', 'content': 'Check server logs for unusual or unauthorized file upload activity targeting /api/admin/sys-file/upload.'}, {'type': 'list_item', 'content': 'Scan the system for unexpected or suspicious files that may have been uploaded via this endpoint.'}] [2, 3]


What immediate steps should I take to mitigate this vulnerability?

The primary and recommended mitigation is to upgrade the sz-boot-parent project to version 1.3.3-beta or later, which includes a patch that restricts file uploads via whitelist configurations.

The patch introduces whitelist restrictions on the /api/admin/sys-file/upload endpoint using configuration options oss.allowedExts and oss.allowedMimeTypes to specify allowed file extensions and MIME types.

Until the upgrade can be applied, consider disabling or restricting access to the vulnerable upload endpoint to prevent unauthorized uploads.

Monitor and audit file uploads closely and remove any suspicious files that may have been uploaded.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart