CVE-2026-3187 | feiyuchuixue sz-boot-parent up to 1.3.2-beta API Endpoint upload unrestricted upload

A vulnerability described as critical has been identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this issue is some unknown functionality of the file /api/admin/sys-file/upload of the component API Endpoint. Such manipulation leads to unrestricted upload.

This vulnerability is traded as CVE-2026-3187. The attack may be launched remotely. Furthermore, there is an exploit available.

Upgrading the affected component is recommended.

The project was informed beforehand and acted very professional: “We have introduced a whitelist restriction on the /api/admin/sys-file/upload endpoint via the oss.allowedExts and oss.allowedMimeTypes configuration options, allowing the specification of permitted file extensions and MIME types for uploads.”

CVE-2026-3187 | feiyuchuixue sz-boot-parent up to 1.3.2-beta API Endpoint upload unrestricted upload

Post correlati

CVE-2025-43746 | Liferay Portal/DXP cross site scripting

CVE-2024-27885 | Apple macOS up to 12.6/13.5/14.4 symlink

CVE-2024-49268 | sunburntkamel Disconnected Plugin up to 1.3.0 on WordPress cross site scripting

CVE-2024-25568 | Elecom WRC-X3200GST3-B/WRC-G01-W os command injection