Critical severityNVD Advisory· Published Jan 20, 2023· Updated Apr 3, 2025

XpressEngine file upload vulnerability

CVE-2021-26642

Description

When uploading an image file to a bulletin board developed with XpressEngine, a vulnerability in which an arbitrary file can be uploaded due to insufficient verification of the file. A remote attacker can use this vulnerability to execute arbitrary code on the server where the bulletin board is running.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
xpressengine/xpressenginePackagist	< 3.0.15	3.0.15

Affected products

Xehub/Xe3 Xpresesenginev5
Range: 3.0.14

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-8r5j-22j5-w4cmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-26642ghsaADVISORY
boho.or.kr/krcert/secNoticeView.doghsaWEB
github.com/xpressengine/xpressengine/issues/1366ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.003
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000