CVE-2026-11621
Deferred Deferred - Pending Action

Unrestricted File Upload in Dcat-Admin up to 2.2.3-beta

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VulDB

Description
A weakness has been identified in Dcat-Admin up to 2.2.3-beta. This impacts the function editorMDUpload of the file /admin/dcat-api/editor-md/upload of the component User Setting Page. This manipulation of the argument editormd-image-file causes unrestricted upload. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-29
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-28
NVD
CVE-2026-11621
EUVD
EUVD-2026-35296

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Dcat-Admin up to version 2.2.3-beta, specifically in the editorMDUpload function of the /admin/dcat-api/editor-md/upload file within the User Setting Page component.

The issue is caused by manipulation of the argument editormd-image-file, which leads to unrestricted file upload.

An attacker can exploit this vulnerability remotely, and the exploit code has been publicly disclosed.

Impact Analysis

The unrestricted file upload vulnerability allows an attacker to upload arbitrary files to the server.

This can lead to potential compromise of the system, including executing malicious code, defacing the website, or gaining unauthorized access.

Since the attack can be initiated remotely, it increases the risk of exploitation without requiring physical access.

Detection Guidance

This vulnerability involves unrestricted file upload via the editormd-image-file argument in the /admin/dcat-api/editor-md/upload endpoint. To detect it on your system or network, you can monitor HTTP requests targeting this specific URL path and check for suspicious or unexpected file upload attempts.

You can use network monitoring tools or web server logs to identify requests to /admin/dcat-api/editor-md/upload that include the editormd-image-file parameter.

Example commands to detect such activity might include:

  • Using grep on web server logs to find upload attempts: grep "/admin/dcat-api/editor-md/upload" /var/log/nginx/access.log
  • Using tcpdump to capture HTTP POST requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep "/admin/dcat-api/editor-md/upload"
  • Using curl to test the endpoint manually by attempting to upload a file via the editormd-image-file parameter.
Mitigation Strategies

To mitigate this vulnerability immediately, you should restrict or disable access to the /admin/dcat-api/editor-md/upload endpoint until a patch or update is applied.

Additional steps include:

  • Implement strict access controls to ensure only authorized users can access the upload functionality.
  • Apply input validation and file type restrictions on uploaded files to prevent malicious uploads.
  • Monitor logs for suspicious upload attempts and block offending IP addresses.
  • Upgrade Dcat-Admin to a version later than 2.2.3-beta where this vulnerability is fixed, once available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11621. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart