CVE-2026-36669
Received Received - Intake

Unauthenticated File Upload in Feng Office

Vulnerability report for CVE-2026-36669, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: MITRE

Description

An unauthenticated arbitrary file upload vulnerability in ck_upload_handler.php in Feng Office 3.11.13.11 allows remote attackers to upload malicious files (such as .html) to the web-accessible /tmp/ directory.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
feng_office feng_office 3.11.13.11
feng_office feng_office 4.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-36669 is an unauthenticated arbitrary file upload vulnerability in Feng Office Community Edition version 3.11.13.11. The flaw exists in the ck_upload_handler.php script, which lacks authentication checks, allowing remote attackers to upload arbitrary files (including malicious .html or .php scripts) to a web-accessible directory. The vulnerability is exacerbated by inactive server-side file validation, which was designed to restrict uploads to image formats but has been commented out in the code.

This enables attackers to bypass restrictions and upload executable files. The script writes uploaded files directly to the /tmp/ directory, which is web-accessible, and the lack of HttpOnly flags on session cookies allows for Stored Cross-Site Scripting (XSS) attacks.

Detection Guidance

Check for unexpected files in the /tmp/ directory, especially .html or .php files. Monitor network traffic for POST requests to ck_upload_handler.php without authentication. Inspect server logs for unusual upload activities or requests to web-accessible directories.

Impact Analysis

Attackers can upload malicious files to the server, leading to potential execution of arbitrary code or scripts. This could result in unauthorized access to sensitive data, session hijacking, or theft of administrative credentials. For example, when an administrator views an uploaded malicious file, embedded scripts may execute in their session context.

The vulnerability also enables Stored Cross-Site Scripting (XSS) attacks, which can compromise user accounts and sensitive information. Attackers could leverage this to perform actions on behalf of users or escalate privileges within the application.

Compliance Impact

This vulnerability could lead to unauthorized access to personal or sensitive data, violating GDPR and HIPAA requirements for data protection and confidentiality. Organizations using the vulnerable version may face compliance violations, legal penalties, and reputational damage due to data breaches or unauthorized access.

Mitigation Strategies

Immediately enforce authentication on the ck_upload_handler.php endpoint. Re-enable and strengthen server-side file validation to block non-image uploads. Enable HttpOnly flags for session cookies to prevent XSS attacks. Consider temporarily disabling file uploads until patches are applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36669. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart