CVE-2026-6835
Arbitrary File Upload in a+HCM Enables Remote XSS Impact
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: TWCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| θ²η’ζΈδ½η§ζ | a+hcm | to 8.1 (exc) |
| θ²η’ζΈδ½η§ζ | a+hcm | From 6.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote attackers to upload arbitrary files, including HTML documents, which can lead to cross-site scripting (XSS)-like attacks. Such unauthorized access and potential data manipulation could impact the confidentiality and integrity of data handled by the affected system.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable unauthorized file uploads and XSS attacks generally pose risks to data protection and privacy requirements mandated by these regulations.
Organizations using the affected software should consider this vulnerability as a potential compliance risk and apply recommended patches or upgrades to mitigate unauthorized access and protect sensitive data.
Can you explain this vulnerability to me?
CVE-2026-6835 is an Arbitrary File Upload vulnerability in the a+HCM software developed by θ²η’ζΈδ½η§ζ (aEnrich). This flaw allows unauthenticated remote attackers to upload any type of file to any path on the affected system.
Attackers can upload HTML files, which may lead to cross-site scripting (XSS)-like effects, potentially enabling malicious scripts to run in users' browsers.
Can you explain this vulnerability to me?
CVE-2026-6835 is an Arbitrary File Upload vulnerability in the a+HCM software developed by θ²η’ζΈδ½η§ζ. This flaw allows unauthenticated remote attackers to upload any type of file to any path on the affected system.
Attackers can upload HTML files, which may lead to cross-site scripting (XSS)-like effects, potentially enabling malicious scripts to run in users' browsers.
How can this vulnerability impact me? :
This vulnerability can allow attackers to upload malicious files without authentication, potentially leading to XSS-like attacks.
Such attacks can compromise user interactions by executing malicious scripts, which may lead to unauthorized access to sensitive information or manipulation of the affected system.
The CVSS 3.1 score of 6.1 indicates a medium severity with low impact on confidentiality and integrity, no impact on availability, but with a changed scope and requiring user interaction.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-6835 vulnerability, users should upgrade to version 6.8 or later of the a+HCM software developed by θ²η’ζΈδ½η§ζ.
Applying the latest patches provided by the vendor is also recommended.
Alternatively, contacting θ²η’ζΈδ½η§ζ customer support for assistance can help ensure proper remediation.
How can this vulnerability impact me? :
This vulnerability can allow attackers to upload malicious files without authentication, potentially compromising the affected system.
By uploading HTML files, attackers may execute XSS-like attacks, which can lead to unauthorized actions, data theft, or session hijacking for users interacting with the system.
The vulnerability has a medium severity score (CVSS 3.1 base score 6.1), indicating a significant risk that requires attention.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-6835 vulnerability, users should upgrade to version 6.8 or later of the a+HCM software developed by θ²η’ζΈδ½η§ζ.
Applying the latest patches provided by the vendor is also recommended.
Alternatively, contacting θ²η’ζΈδ½η§ζ customer support for assistance can help ensure proper remediation.