CVE-2026-6835
Received Received - Intake

Arbitrary File Upload in a+HCM Enables Remote XSS Impact

Vulnerability report for CVE-2026-6835, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-22

Last updated on: 2026-04-22

Assigner: TWCERT/CC

Description

The a+HCM developed by aEnrich has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload arbitrary files to any path, including HTML documents, which may result in a XSS-like effect.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-22
Last Modified
2026-04-22
Generated
2026-07-06
AI Q&A
2026-04-22
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
θ‚²η’ζ•Έδ½η§‘ζŠ€ a+hcm to 8.1 (exc)
θ‚²η’ζ•Έδ½η§‘ζŠ€ a+hcm From 6.8 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-6835 is an Arbitrary File Upload vulnerability in the a+HCM software developed by θ‚²η’ζ•Έδ½η§‘ζŠ€. This flaw allows unauthenticated remote attackers to upload any type of file to any path on the affected system.

Attackers can upload HTML files, which may lead to cross-site scripting (XSS)-like effects, potentially enabling malicious scripts to run in users' browsers.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to upload arbitrary files, including HTML documents, which can lead to cross-site scripting (XSS)-like attacks. Such unauthorized access and potential data manipulation could impact the confidentiality and integrity of data handled by the affected system.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable unauthorized file uploads and XSS attacks generally pose risks to data protection and privacy requirements mandated by these regulations.

Organizations using the affected software should consider this vulnerability as a potential compliance risk and apply recommended patches or upgrades to mitigate unauthorized access and protect sensitive data.

Executive Summary

CVE-2026-6835 is an Arbitrary File Upload vulnerability in the a+HCM software developed by θ‚²η’ζ•Έδ½η§‘ζŠ€ (aEnrich). This flaw allows unauthenticated remote attackers to upload any type of file to any path on the affected system.

Attackers can upload HTML files, which may lead to cross-site scripting (XSS)-like effects, potentially enabling malicious scripts to run in users' browsers.

Impact Analysis

This vulnerability can allow attackers to upload malicious files without authentication, potentially compromising the affected system.

By uploading HTML files, attackers may execute XSS-like attacks, which can lead to unauthorized actions, data theft, or session hijacking for users interacting with the system.

The vulnerability has a medium severity score (CVSS 3.1 base score 6.1), indicating a significant risk that requires attention.

Mitigation Strategies

To mitigate the CVE-2026-6835 vulnerability, users should upgrade to version 6.8 or later of the a+HCM software developed by θ‚²η’ζ•Έδ½η§‘ζŠ€.

Applying the latest patches provided by the vendor is also recommended.

Alternatively, contacting θ‚²η’ζ•Έδ½η§‘ζŠ€ customer support for assistance can help ensure proper remediation.

Impact Analysis

This vulnerability can allow attackers to upload malicious files without authentication, potentially leading to XSS-like attacks.

Such attacks can compromise user interactions by executing malicious scripts, which may lead to unauthorized access to sensitive information or manipulation of the affected system.

The CVSS 3.1 score of 6.1 indicates a medium severity with low impact on confidentiality and integrity, no impact on availability, but with a changed scope and requiring user interaction.

Mitigation Strategies

To mitigate the CVE-2026-6835 vulnerability, users should upgrade to version 6.8 or later of the a+HCM software developed by θ‚²η’ζ•Έδ½η§‘ζŠ€.

Applying the latest patches provided by the vendor is also recommended.

Alternatively, contacting θ‚²η’ζ•Έδ½η§‘ζŠ€ customer support for assistance can help ensure proper remediation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6835. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart