CVE-2026-53909
Received Received - Intake

File Upload Validation Bypass in MCO

Vulnerability report for CVE-2026-53909, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: CERT.PL

Description

MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privileged attacker can upload files with arbitrary types to the server. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1Β but may also affect other versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mycomplianceoffice mco to 25.3.3.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs because MCO does not properly validate the types of files that users upload. The file upload validation relies solely on client-side checks, which can be bypassed by an attacker.

As a result, an authorized user with low privileges can upload files of any type to the server, potentially leading to security risks.

Impact Analysis

Because the vulnerability allows an authorized, low-privileged attacker to upload arbitrary file types to the server, it can lead to unauthorized file uploads that may be used to execute malicious code, store harmful content, or compromise the server.

Compliance Impact

The vulnerability in MyComplianceOffice (MCO) allows an authorized, low-privileged attacker to upload files with arbitrary types to the server due to insufficient server-side validation of uploaded files. This flaw could potentially lead to unauthorized data exposure or manipulation.

Since MCO is a compliance management platform used to help organizations meet regulatory obligations, such a vulnerability may undermine the integrity and security of compliance data, which is critical for standards like GDPR and HIPAA that require strict data protection and control measures.

However, the provided information does not explicitly state the direct impact of this vulnerability on compliance with specific regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53909. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart