CVE-2026-9053
HTML File Upload Form Default Value Spoofing in Mothra
Publication date: 2026-05-22
Last updated on: 2026-05-22
Assigner: 9front
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| plan9 | 9front | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Mothra involves the handling of HTML file upload forms. Mothra respects a default file path value set by a website for file input elements, which it should not do. An attacker can create a malicious website that sets a default file path in a hidden file input form element. By hiding this element from the user's view, the attacker can trick Mothra into submitting the form and leaking any file from the user's namespace without their knowledge.
The root cause is missing input validation in Mothra's form parsing, specifically failing to clear default values for file input types. Although the malicious input cannot be hidden using CSS, it can be concealed by pushing it outside the visible window using many empty headings.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of files from the user's system. An attacker-controlled website can cause Mothra to unknowingly submit sensitive files by exploiting the default file path in a hidden file upload form. This means private or confidential data stored on the user's device could be leaked without their consent or awareness.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Mothra respecting a default file path value in HTML file upload forms, which can be exploited by a malicious website to leak files without user knowledge.
Detection would involve monitoring or inspecting HTML forms served by websites accessed through Mothra to identify file input elements that have a default value set by the server.
Since the malicious file input element can be hidden by pushing it outside the visible window using many empty headings, manual inspection of the HTML source code or automated scanning tools that parse form elements for default file paths could help detect the issue.
Specific commands are not provided in the resources, but a possible approach is to use network traffic capture tools (e.g., tcpdump or Wireshark) to capture HTTP responses and then search for file input elements with a value attribute set.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability can be mitigated by ensuring that any default value previously set for file input elements is cleared when the input type is recognized as "file."
Specifically, applying the patch that modifies the forms.c file in Mothra to null-terminate the value field for file input types will prevent websites from setting a default file path.
Until the patch is applied, users should be cautious when interacting with file upload forms in Mothra and avoid visiting untrusted websites that might exploit this behavior.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in Mothra allows a malicious website to submit file upload forms with a default file path, potentially leaking any file in the user's namespace without their knowledge due to missing input validation.
Such unauthorized file access and data leakage could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on personal and sensitive data access and processing.
Because the vulnerability enables stealthy exfiltration of user files, it undermines user consent and data confidentiality principles central to these standards.