CVE-2026-3748
Received Received - Intake
Unrestricted File Upload Vulnerability in Bytedesk SVG Handler

Publication date: 2026-03-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in Bytedesk up to 1.3.9. This affects the function uploadFile of the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestController.java of the component SVG File Handler. Performing a manipulation results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.4.5.1 is able to mitigate this issue. The patch is named 975e39e4dd527596987559f56c5f9f973f64eff7. Upgrading the affected component is recommended.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-08
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-03-08
EPSS Evaluated
2026-05-05
NVD
CVE-2026-3748
EUVD
EUVD-2026-10251
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bytedesk bytedesk to 1.4.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-3748 is a vulnerability in Bytedesk versions up to 1.3.9 affecting the file upload functionality, specifically the uploadFile function in UploadRestController.java. It allows authenticated attackers to upload SVG files containing embedded malicious JavaScript without sanitization.

Because the server does not sanitize the contents of uploaded SVG files, these files can contain <script> tags that execute JavaScript when accessed by a victim, leading to a Stored Cross-Site Scripting (XSS) attack.

The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and relates to CWE-284 and CWE-266. Remote exploitation is possible, and a public proof-of-concept exploit is available.

Mitigation involves upgrading Bytedesk to version 1.4.5.1 or applying the patch identified by commit 975e39e4dd527596987559f56c5f9f973f64eff7.


How can this vulnerability impact me? :

[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker with valid authentication to upload malicious SVG files containing JavaScript that executes in the browser of anyone who accesses the uploaded file URL.'}, {'type': 'paragraph', 'content': 'The impact includes potential compromise of confidentiality, integrity, and availability of the system by enabling Stored Cross-Site Scripting (XSS) attacks.'}, {'type': 'list_item', 'content': "Attackers can execute arbitrary JavaScript in the context of the victim's browser."}, {'type': 'list_item', 'content': 'This can lead to session hijacking, data theft, or further exploitation of the affected system.'}, {'type': 'list_item', 'content': 'Because the upload is unrestricted for dangerous file types, attackers can bypass file type restrictions to upload harmful content.'}] [1, 2, 3]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the authenticated file upload endpoint POST /api/v1/upload/file for acceptance of SVG files containing embedded JavaScript <script> tags without sanitization.'}, {'type': 'paragraph', 'content': 'A practical detection method involves attempting to upload a crafted SVG file with embedded JavaScript to the vulnerable endpoint using an authenticated session. Successful upload and retrieval of a fileUrl that serves the SVG file indicates the vulnerability.'}, {'type': 'paragraph', 'content': 'For example, using curl or a Python script with an authorization bearer token, you can send a malicious SVG file to the endpoint and check for a HTTP 200 response with a JSON payload containing the fileUrl.'}, {'type': 'list_item', 'content': 'curl -X POST https://your-bytdesk-instance/api/v1/upload/file -H "Authorization: Bearer <token>" -F "[email protected];type=image/svg+xml"'}, {'type': 'list_item', 'content': 'Check the response for a fileUrl field indicating the file was accepted and stored.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring network traffic for uploads to the /api/v1/upload/file endpoint and inspecting uploaded SVG files for embedded <script> tags can help detect exploitation attempts.'}] [2, 3]


What immediate steps should I take to mitigate this vulnerability?

The primary and recommended mitigation is to upgrade Bytedesk to version 1.4.5.1, which contains the patch that fixes this unrestricted file upload vulnerability.

The patch is identified by commit 975e39e4dd527596987559f56c5f9f973f64eff7 and addresses the issue by properly sanitizing SVG file uploads or restricting dangerous file types.

Until the upgrade can be applied, immediate steps include restricting access to the file upload API endpoint to trusted users only, implementing additional server-side validation and sanitization of SVG files, and monitoring for suspicious upload activity.

Disabling SVG uploads or blocking files with embedded scripts can also reduce risk temporarily.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart