| Title | dst-admin dst-admin <= 1.5.0 Improper Input Validation |
|---|
| Description | An arbitrary file deletion vulnerability exists in dst-admin <= 1.5.0. The BackupController.deleteBackup() endpoint accepts a user-controlled array of file names and passes them directly to BackupService.deleteBackup() without proper validation. The vulnerability allows authenticated attackers to delete critical system files, application configuration files, or any files accessible to the application user. |
|---|
| Source | ⚠️ https://fx4tqqfvdw4.feishu.cn/docx/YKwydLrdno51JtxJksmcWSfbnvd?from=from_copylink |
|---|
| User | xcxr (UID 86629) |
|---|
| Submission | 02/09/2026 07:43 (3 months ago) |
|---|
| Moderation | 02/22/2026 08:14 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 347324 [qinming99 dst-admin up to 1.5.0 File BackupController.java deleteBackup denial of service] |
|---|
| Points | 20 |
|---|