Executive Summary

CVE-2026-3748 is a vulnerability in Bytedesk versions up to 1.3.9 affecting the file upload functionality, specifically the uploadFile function in UploadRestController.java. It allows authenticated attackers to upload SVG files containing embedded malicious JavaScript without sanitization.

Because the server does not sanitize the contents of uploaded SVG files, these files can contain <script> tags that execute JavaScript when accessed by a victim, leading to a Stored Cross-Site Scripting (XSS) attack.

The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and relates to CWE-284 and CWE-266. Remote exploitation is possible, and a public proof-of-concept exploit is available.

Mitigation involves upgrading Bytedesk to version 1.4.5.1 or applying the patch identified by commit 975e39e4dd527596987559f56c5f9f973f64eff7.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker with valid authentication to upload malicious SVG files containing JavaScript that executes in the browser of anyone who accesses the uploaded file URL.'}, {'type': 'paragraph', 'content': 'The impact includes potential compromise of confidentiality, integrity, and availability of the system by enabling Stored Cross-Site Scripting (XSS) attacks.'}, {'type': 'list_item', 'content': "Attackers can execute arbitrary JavaScript in the context of the victim's browser."}, {'type': 'list_item', 'content': 'This can lead to session hijacking, data theft, or further exploitation of the affected system.'}, {'type': 'list_item', 'content': 'Because the upload is unrestricted for dangerous file types, attackers can bypass file type restrictions to upload harmful content.'}] [1, 2, 3]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the authenticated file upload endpoint POST /api/v1/upload/file for acceptance of SVG files containing embedded JavaScript <script> tags without sanitization.'}, {'type': 'paragraph', 'content': 'A practical detection method involves attempting to upload a crafted SVG file with embedded JavaScript to the vulnerable endpoint using an authenticated session. Successful upload and retrieval of a fileUrl that serves the SVG file indicates the vulnerability.'}, {'type': 'paragraph', 'content': 'For example, using curl or a Python script with an authorization bearer token, you can send a malicious SVG file to the endpoint and check for a HTTP 200 response with a JSON payload containing the fileUrl.'}, {'type': 'list_item', 'content': 'curl -X POST https://your-bytdesk-instance/api/v1/upload/file -H "Authorization: Bearer <token>" -F "[email protected];type=image/svg+xml"'}, {'type': 'list_item', 'content': 'Check the response for a fileUrl field indicating the file was accepted and stored.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring network traffic for uploads to the /api/v1/upload/file endpoint and inspecting uploaded SVG files for embedded <script> tags can help detect exploitation attempts.'}] [2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation is to upgrade Bytedesk to version 1.4.5.1, which contains the patch that fixes this unrestricted file upload vulnerability.

The patch is identified by commit 975e39e4dd527596987559f56c5f9f973f64eff7 and addresses the issue by properly sanitizing SVG file uploads or restricting dangerous file types.

Until the upgrade can be applied, immediate steps include restricting access to the file upload API endpoint to trusted users only, implementing additional server-side validation and sanitization of SVG files, and monitoring for suspicious upload activity.

Disabling SVG uploads or blocking files with embedded scripts can also reduce risk temporarily.

Useful 0 Not Useful 0