Home

Description

A vulnerability was detected in huanzi-qch base-admin up to 57a8126bb3353a004f3c7722089e3b926ea83596. Impacted is the function Upload of the file SysFileController.java of the component JSP Parser. Performing a manipulation of the argument File results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

PUBLISHED Reserved 2026-02-18 | Published 2026-02-18 | Updated 2026-02-23 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

Problem types

Unrestricted Upload

Improper Access Controls

Product status

57a8126bb3353a004f3c7722089e3b926ea83596
affected

Timeline

2026-02-18:Advisory disclosed
2026-02-18:VulDB entry created
2026-02-18:VulDB entry last update

Credits

Jszdk (VulDB User) reporter

References

vuldb.com/?id.346462 (VDB-346462 | huanzi-qch base-admin JSP Parser SysFileController.java upload unrestricted upload) vdb-entry technical-description

vuldb.com/?ctiid.346462 (VDB-346462 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.753240 (Submit #753240 | https://github.com/huanzi-qch/base-admin base-admin v1.0 Upload any file) third-party-advisory

github.com/huanzi-qch/base-admin/issues/38 issue-tracking

github.com/huanzi-qch/base-admin/issues/38 exploit issue-tracking

github.com/huanzi-qch/base-admin/ product

cve.org (CVE-2026-2665)

nvd.nist.gov (CVE-2026-2665)

Download JSON