CVE-2026-3187 in sz-boot-parentinfo

Summary

by MITRE • 02/25/2026

A vulnerability was identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this issue is some unknown functionality of the file /api/admin/sys-file/upload of the component API Endpoint. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 1.3.3-beta can resolve this issue. The name of the patch is aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is recommended. The project was informed beforehand and acted very professional: "We have introduced a whitelist restriction on the /api/admin/sys-file/upload endpoint via the oss.allowedExts and oss.allowedMimeTypes configuration options, allowing the specification of permitted file extensions and MIME types for uploads."

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 06/19/2026

This vulnerability resides within the feiyuchuixue sz-boot-parent framework version 1.3.2-beta and earlier, specifically targeting the /api/admin/sys-file/upload endpoint. The flaw represents a critical unrestricted file upload vulnerability that allows remote attackers to bypass normal file validation mechanisms and upload arbitrary files to the server. The vulnerability stems from insufficient input validation and lack of proper file type restrictions within the API endpoint, creating an attack surface where malicious files can be uploaded without proper authorization or content verification. This type of vulnerability is classified under CWE-434 which specifically addresses the risk of unrestricted file upload leading to potential code execution and system compromise. The remote exploitability of this vulnerability means that attackers can leverage it from external networks without requiring physical access to the system, making it particularly dangerous in production environments.

The technical implementation of this vulnerability allows attackers to manipulate the file upload functionality through the API endpoint, bypassing any built-in security controls that should normally validate file extensions, MIME types, or content signatures. The attack vector is particularly concerning because it operates through a publicly available exploit, indicating that security researchers and malicious actors have already identified and documented the method of exploitation. The vulnerability enables attackers to upload malicious files such as web shells, scripts, or other harmful content that can be executed on the target server. This unrestricted upload capability directly violates security principles of least privilege and input validation, creating opportunities for persistent threats and privilege escalation attacks. The ATT&CK framework would categorize this as a technique involving "T1190 - Exploit Public-Facing Application" and potentially "T1059 - Command and Scripting Interpreter" when malicious code is executed through the uploaded files.

The operational impact of this vulnerability extends beyond simple data compromise to encompass complete system takeover potential. Once an attacker successfully uploads malicious content through this endpoint, they can execute arbitrary code on the server, potentially leading to full system compromise, data exfiltration, and establishment of persistent backdoors. The affected system becomes vulnerable to various attack scenarios including but not limited to web shell deployment, privilege escalation, and lateral movement within the network. Organizations relying on this framework version face significant risk of unauthorized access and potential data breaches. The vulnerability affects not just individual applications but the entire ecosystem of systems using this specific framework version, creating widespread exposure across multiple deployments. Security teams must consider the implications of this vulnerability across their entire infrastructure, as compromised systems can serve as launching points for broader attacks.

The recommended mitigation strategy involves upgrading to version 1.3.3-beta which includes a comprehensive fix addressing the unrestricted upload vulnerability. The patch implementation specifically introduces whitelist restrictions through oss.allowedExts and oss.allowedMimeTypes configuration options, providing administrators with granular control over permitted file types. This configuration-based approach aligns with security best practices by implementing defense-in-depth measures that validate file characteristics at multiple levels. The fix demonstrates proper security engineering principles by implementing explicit allowlists rather than relying on denylists, which are inherently less secure and more prone to bypasses. Organizations should immediately implement this upgrade across all affected systems and verify that the new configuration parameters are properly set to restrict file uploads to only known safe extensions and MIME types. Additional security measures such as web application firewalls, file content scanning, and regular security assessments should complement the patch implementation to provide comprehensive protection against similar vulnerabilities in the future.

Responsible

VulDB

Disclosure

02/25/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00307

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!