CVE-2026-2979 | FastApiAdmin up to 2.2.0 Scheduled Task API controller.py user_avatar_upload_controller unrestricted upload

A vulnerability categorized as critical has been discovered in FastApiAdmin up to 2.2.0. This issue affects the function user_avatar_upload_controller of the file /backend/app/api/v1/module_system/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload.

This vulnerability is tracked as CVE-2026-2979. The attack can be launched remotely. Moreover, an exploit is present.