Strix
26.1K

CVE-2026-3187

LOWCVSS 2.1/10EPSS 0.31%

Last modified

CVE-2026-3187 is a low-severity vulnerability rated 2.1/10 on the CVSS scale. A vulnerability was identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this issue is some unknown functionality of the file /api/admin/sys-file/upload of the component API Endpoint. EPSS estimates a 0.31% chance of exploitation in the next 30 days.

Description

A vulnerability was identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this issue is some unknown functionality of the file /api/admin/sys-file/upload of the component API Endpoint. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 1.3.3-beta can resolve this issue. The name of the patch is aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is recommended. The project was informed beforehand and acted very professional: "We have introduced a whitelist restriction on the /api/admin/sys-file/upload endpoint via the oss.allowedExts and oss.allowedMimeTypes configuration options, allowing the specification of permitted file extensions and MIME types for uploads."

Metrics

CVSS 3.1
9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0
2.1/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability
0.31%

22.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
SzadminSz-Boot-Parent<= 0.9.0
SzadminSz-Boot-Parent1.0.0Beta
SzadminSz-Boot-Parent1.0.1Beta
SzadminSz-Boot-Parent1.0.2Beta
SzadminSz-Boot-Parent1.1.0Beta
SzadminSz-Boot-Parent1.2.0Beta
SzadminSz-Boot-Parent1.2.1Beta
SzadminSz-Boot-Parent1.2.2Beta
SzadminSz-Boot-Parent1.2.3Beta
SzadminSz-Boot-Parent1.2.4Beta
SzadminSz-Boot-Parent1.2.5Beta
SzadminSz-Boot-Parent1.2.6Beta
SzadminSz-Boot-Parent1.3.0Beta
SzadminSz-Boot-Parent1.3.1Beta
SzadminSz-Boot-Parent1.3.2Beta

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-3187?
A vulnerability was identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this issue is some unknown functionality of the file /api/admin/sys-file/upload of the component API Endpoint. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 1.3.3-beta can resolve this issue. The name of the patch is aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is recommended. The project was informed beforehand and acted very professional: "We have introduced a whitelist restriction on the /api/admin/sys-file/upload endpoint via the oss.allowedExts and oss.allowedMimeTypes configuration options, allowing the specification of permitted file extensions and MIME types for uploads."
How severe is CVE-2026-3187?
CVE-2026-3187 has a CVSS score of 2.1/10 (LOW severity). The EPSS model estimates a 0.31% probability of exploitation in the next 30 days.
How do I fix CVE-2026-3187?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-3187?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST