CVE-2026-36669 in Office
Summary
by MITRE • 07/17/2026
An unauthenticated arbitrary file upload vulnerability in ck_upload_handler.php in Feng Office 3.11.13.11 allows remote attackers to upload malicious files (such as .html) to the web-accessible /tmp/ directory.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability identified in Feng Office 3.11.13.11 represents a critical security flaw in the ck_upload_handler.php component that enables unauthenticated arbitrary file uploads. This issue stems from inadequate input validation and authorization checks within the file upload mechanism, allowing remote attackers to bypass authentication requirements and place malicious files directly into the web-accessible /tmp/ directory. The vulnerability falls under CWE-434 which specifically addresses the improper restriction of uploads to a restricted directory, making it particularly dangerous as it provides direct access to the web server's temporary storage area where uploaded content becomes immediately accessible to all users.
The technical exploitation of this vulnerability occurs through the ck_upload_handler.php script which processes file uploads without verifying the authenticity of the uploader or validating the file types being submitted. Attackers can leverage this flaw by sending specially crafted HTTP requests that bypass normal authentication procedures and upload malicious files such as html payloads that could contain embedded javascript or other harmful content. The /tmp/ directory serves as a web-accessible location, meaning any successfully uploaded files become immediately executable or viewable through standard web browser access, creating a direct pathway for attackers to execute code or perform cross-site scripting attacks.
The operational impact of this vulnerability extends far beyond simple unauthorized file placement. Once malicious files are uploaded to the /tmp/ directory, they can be leveraged for various attack vectors including persistent cross-site scripting against authenticated users, server-side request forgery attacks, or even privilege escalation if the application runs with elevated permissions. The unauthenticated nature of the exploit means that any remote attacker can immediately take advantage of this weakness without requiring valid credentials or prior access to the system, making it particularly attractive for automated exploitation campaigns. This vulnerability essentially provides attackers with a backdoor mechanism to establish persistent access and conduct further reconnaissance on the affected system.
Organizations utilizing Feng Office 3.11.13.11 should implement immediate mitigations including restricting write permissions to the /tmp/ directory, implementing strict file type validation and content checking mechanisms, and enforcing authentication requirements for all upload operations. Additionally, network segmentation and intrusion detection systems should be deployed to monitor for suspicious upload activities. The ATT&CK framework categorizes this vulnerability under T1190 - Exploit Public-Facing Application which emphasizes the importance of validating all inputs and implementing proper access controls. Regular security audits and penetration testing should be conducted to identify similar weaknesses in other application components, while patch management procedures must be established to ensure timely remediation of known vulnerabilities. The implementation of web application firewalls and content security policies can further reduce the risk associated with this type of vulnerability by blocking suspicious file upload patterns and providing additional layers of protection against exploitation attempts.