CVE-2026-30117
Deferred Deferred - Pending Action
Arbitrary File Upload in Scalar Astro via SVG

Publication date: 2026-05-19

Last updated on: 2026-05-20

Assigner: MITRE

Description
scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerability in the the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows attackers to execute arbitrary code via uploading a crafted SVG file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-30117
EUVD
EUVD-2026-30944
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
scalar astro 0.1.13
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves an arbitrary file upload via the scalar_url query parameter in the Scalar Proxy endpoint, allowing attackers to upload crafted SVG files that can lead to arbitrary code execution.

To detect this vulnerability on your system or network, you should monitor and analyze requests to the Scalar Proxy endpoint, specifically looking for unusual or suspicious uploads of SVG files through the scalar_url parameter.

While no specific detection commands are provided in the available resources, general approaches include:

  • Using web server logs or network traffic analysis tools (e.g., tcpdump, Wireshark) to identify requests containing the scalar_url parameter with SVG file uploads.
  • Employing web application firewall (WAF) rules to detect and block suspicious file uploads targeting the scalar_url parameter.
  • Running custom scripts or using vulnerability scanners that can test the scalar_url parameter for arbitrary file upload vulnerabilities by attempting to upload crafted SVG files.
Executive Summary

The vulnerability in scalar/astro v0.1.13 is an arbitrary file upload issue found in the scalar_url query parameter of the Scalar Proxy endpoint.

This flaw allows attackers to upload a specially crafted SVG file, which can then be used to execute arbitrary code on the affected system.

Impact Analysis

This vulnerability can lead to remote code execution by an attacker, potentially allowing them to take control of the affected system.

Such control could be used to compromise data, disrupt services, or further penetrate the network.

Compliance Impact

The vulnerability in scalar/astro v0.1.13 allows arbitrary file upload leading to remote code execution, which can result in unauthorized access, data breaches, and system compromise.

Such security breaches can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining system integrity.

Failure to mitigate this vulnerability could lead to violations of these regulations due to potential exposure or manipulation of protected data.

Mitigation Strategies

Immediate mitigation steps include restricting or disabling file uploads via the scalar_url query parameter in the Scalar Proxy endpoint.

Additional recommended actions are:

  • Implement strict validation and sanitization of uploaded files, ensuring only allowed file types and safe content are accepted.
  • Apply patches or updates provided by the software vendor once available.
  • Use web application firewalls (WAFs) to block malicious upload attempts targeting this vulnerability.
  • Monitor logs for suspicious activity related to the scalar_url parameter and uploaded SVG files.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30117. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart