A vulnerability classified as critical was found in AREA 17 Twill CMS up to 3.6.0. The impacted element is the function
FileLibraryController::storeFile of the file src/Http/Controllers/Admin/FileLibraryController.php of the component Media Library Insert Page. Such manipulation of the argument qqfilename leads to unrestricted upload.
This vulnerability is documented as CVE-2026-15518. The attack can be executed remotely. Additionally, an exploit exists.
The vendor was contacted early about this disclosure but did not respond in any way.