CVE-2026-34027
Received Received - Intake
Insufficient File Validation in Wertheim SafeController

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: SEC Consult Vulnerability Lab

Description
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains insufficient server-side file type validation in the /safe/contract/uploadcustomdocuments endpoint. The application validates uploaded files based on the user-controlled HTTP Content-Type value and accepts the upload if this value contains an allowed string such as pdf, jpeg, tiff, or png. An authenticated attacker with any role or permission level can spoof the Content-Type value and upload arbitrary file content.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-34027
EUVD
EUVD-2026-36710
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wertheim safecontroller 6.15.8328.28014
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Wertheim SafeController Software, version 6.15.8328.28014, specifically in the /safe/contract/uploadcustomdocuments endpoint. The software performs insufficient server-side validation of uploaded file types by relying on the user-controlled HTTP Content-Type header. It accepts files if the Content-Type contains allowed strings like pdf, jpeg, tiff, or png. However, an authenticated attacker with any role or permission level can spoof this Content-Type value and upload arbitrary file content, bypassing proper validation.

Impact Analysis

This vulnerability allows an authenticated attacker to upload arbitrary files by spoofing the Content-Type header. This could lead to unauthorized file uploads that may contain malicious content, potentially resulting in further exploitation such as code execution, data compromise, or disruption of service depending on how the uploaded files are handled by the application.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34027. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart