CVE-2026-3749
Received Received - Intake
Unrestricted File Upload Vulnerability in Bytedesk SVG Handler

Publication date: 2026-03-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in Bytedesk up to 1.3.9. This vulnerability affects the function handleFileUpload of the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestService.java of the component SVG File Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 1.4.5.1 is able to resolve this issue. This patch is called 975e39e4dd527596987559f56c5f9f973f64eff7. It is recommended to upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3749
EUVD
EUVD-2026-10252
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bytedesk bytedesk to 1.4.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3749 is a vulnerability in Bytedesk versions up to 1.3.9 affecting the file upload functionality, specifically the handleFileUpload function in the SVG File Handler component.

The vulnerability allows an attacker to upload SVG files containing embedded malicious JavaScript code without proper sanitization or filtering.

When these SVG files are uploaded, the watermarking process does not remove or neutralize the embedded scripts, resulting in stored Cross-Site Scripting (XSS) attacks that execute arbitrary JavaScript when the uploaded file is accessed.

The attack can be performed remotely by authenticated users and is facilitated by the lack of restrictions on dangerous file types during upload.

The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and has a publicly available proof-of-concept exploit.

Mitigation involves upgrading Bytedesk to version 1.4.5.1, which includes a patch that blocks SVG file uploads and improves file upload security.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to stored Cross-Site Scripting (XSS) attacks by allowing attackers to upload SVG files with embedded malicious JavaScript.'}, {'type': 'list_item', 'content': "Execution of arbitrary JavaScript in the context of users' browsers when they access the uploaded SVG files."}, {'type': 'list_item', 'content': 'Potential session hijacking, defacement, or unauthorized actions performed on behalf of users.'}, {'type': 'list_item', 'content': 'Compromise of confidentiality, integrity, and availability of the affected system.'}, {'type': 'list_item', 'content': 'Remote exploitation by authenticated users without additional privileges.'}, {'type': 'paragraph', 'content': 'Overall, the vulnerability exposes the system to significant security risks including unauthorized code execution and potential further attacks on users and the platform.'}] [1, 5, 6]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring and testing the file upload endpoint `/api/v1/upload/file` for acceptance of SVG files containing embedded JavaScript. Since the vulnerability allows unrestricted upload of SVG files with malicious scripts, one detection method is to attempt uploading a crafted SVG file with a script payload and observe if the server accepts it and returns a public URL.'}, {'type': 'paragraph', 'content': 'Commands to test this could include using curl or similar tools to POST a malicious SVG file to the upload endpoint and then accessing the returned URL to check for script execution (stored XSS). For example:'}, {'type': 'list_item', 'content': 'curl -X POST -F "[email protected]" https://your-bytdesk-instance/api/v1/upload/file'}, {'type': 'list_item', 'content': 'Then access the returned URL in a browser to check if the embedded script executes.'}, {'type': 'paragraph', 'content': 'Additionally, network monitoring tools can be used to detect uploads of SVG files or unusual POST requests to the upload endpoint. Reviewing logs for file uploads with SVG extensions or MIME types containing "image/svg" can also help identify attempts to exploit this vulnerability.'}] [5, 6]

Mitigation Strategies

The primary and recommended immediate mitigation step is to upgrade Bytedesk to version 1.4.5.1 or later, which includes a patch that explicitly blocks SVG and SVGZ file uploads and improves file upload security.

This patch enhances the file type whitelist to reject SVG files and their MIME types, preventing the upload of potentially dangerous files that could contain embedded scripts.

If upgrading immediately is not possible, consider implementing temporary controls such as:

  • Blocking or filtering SVG file uploads at the web server or application firewall level.
  • Restricting access to the file upload endpoint to trusted users only.
  • Monitoring and alerting on uploads of SVG files or suspicious file types.

Ultimately, applying the official patch from the Bytedesk GitHub repository (commit ID: 975e39e4dd527596987559f56c5f9f973f64eff7) is the definitive fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3749. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart