| Título | dst-admin dst-admin <= 1.5.0 Improper Input Validation |
|---|
| Descrição | An arbitrary file deletion vulnerability exists in dst-admin <= 1.5.0. The BackupController.deleteBackup() endpoint accepts a user-controlled array of file names and passes them directly to BackupService.deleteBackup() without proper validation. The vulnerability allows authenticated attackers to delete critical system files, application configuration files, or any files accessible to the application user. |
|---|
| Fonte | ⚠️ https://fx4tqqfvdw4.feishu.cn/docx/YKwydLrdno51JtxJksmcWSfbnvd?from=from_copylink |
|---|
| Utilizador | xcxr (UID 86629) |
|---|
| Submissão | 09/02/2026 07h43 (há 4 meses) |
|---|
| Moderação | 22/02/2026 08h14 (13 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 347324 [qinming99 dst-admin até 1.5.0 File BackupController.java deleteBackup Negação de Serviço] |
|---|
| Pontos | 20 |
|---|