bolo-solo bolo-solo V2.6.4 Arbitrary File Write and RCEالمعلومات

عنوان	https://github.com/bolo-blog/bolo-solo bolo-solo V2.6.4 Arbitrary File Write and RCE
الوصف	In the bolo-solo version v2.6.4_stable, there is a remote code execution (RCE) vulnerability. This vulnerability arises from insufficient validation of the file names provided by users during the file upload operation at the /pic/upload endpoint. The application allows attackers to upload any files with specially designed names, including overwriting existing FreeMarker template files (.ftl). Since the application uses FreeMarker for dynamic page rendering, attackers can inject malicious FreeMarker expressions into the template files, which will then be executed on the server side during subsequent page accesses, resulting in arbitrary code execution.
المصدر	⚠️ https://github.com/bolo-blog/bolo-solo/issues/329
المستخدم	MaoQiu (UID 94327)
ارسال	21/01/2026 08:34 AM (2 أشهر منذ)
الاعتدال	03/02/2026 03:04 PM (13 days later)
الحالة	تمت الموافقة
إدخال VulDB	343981 [bolo-blog bolo-solo حتى 2.6.4 FreeMarker Template PicUploadProcessor.java ملف تجاوز الصلاحيات]
النقاط	20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!