CVE-2026-7490
Arbitrary File Upload in Sunnet CTMS and CPAS
Publication date: 2026-05-02
Last updated on: 2026-05-05
Assigner: TWCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ζθ―η§ζ | ctms | * |
| ζθ―η§ζ | cpas | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7490 is an arbitrary file upload vulnerability found in CTMS and CPAS software developed by Sunnet (ζθ―η§ζ).
This flaw allows a remote attacker who already has administrative (privileged) access to upload malicious web shell scripts to the server.
Once uploaded, these web shells can be executed, enabling the attacker to run arbitrary code on the affected server.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with high privileges to execute arbitrary code on your server.
This can lead to unauthorized control over the system, potential data breaches, service disruption, or further compromise of the network.
Because the attacker can upload and run web shells, they may maintain persistent access and perform malicious activities undetected.
What immediate steps should I take to mitigate this vulnerability?
Users are advised to apply patches provided by the vendor or contact the vendor for updates to mitigate the risk.
Since the vendor has not yet released a patch, contacting the vendor directly for a solution is recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows privileged remote attackers to upload and execute web shell backdoors, leading to arbitrary code execution on the server. This could potentially result in unauthorized access to sensitive data or disruption of system integrity.
Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information and mandate controls against unauthorized system access.
However, the provided information does not explicitly mention the impact on compliance with these standards or any regulatory considerations.