CVE-2026-3187 - Vulnerability Analysis
MediumCVSS: 6.3Last Updated: February 26, 2026
feiyuchuixue sz-boot-parent - Unrestricted File Upload
Published: February 25, 2026Updated: February 26, 2026PoC AvailableRemote Exploitable
Overview
feiyuchuixue sz-boot-parent <= 1.3.2-beta contains an unrestricted file upload vulnerability caused by lack of proper file type restrictions in /api/admin/sys-file/upload API endpoint, letting remote attackers upload arbitrary files, exploit requires no special privileges.
Severity & Score
Severity: Medium
CVSS Score: 6.3
Impact
Remote attackers can upload arbitrary files, potentially leading to remote code execution or system compromise.
Mitigation
Upgrade to version 1.3.3-beta or later.
References
- https://github.com/feiyuchuixue/sz-boot-parent/
- https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802
- https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta
- https://github.com/yuccun/CVE/blob/main/sz-boot-parent-Arbitrary_File_Upload.md
- https://vuldb.com/?ctiid.347745
- https://vuldb.com/?id.347745
- https://vuldb.com/?submit.754038
Related Resources
Details
- CVE ID
- CVE-2026-3187
- Severity
- Medium
- CVSS Score
- 6.3
- Type
- unrestricted_file_upload
- Status
- confirmed
CWE
- CWE-284
- CWE-434
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L