VYPR
← All advisories
Medium severity6.3NVD Advisory· Published Mar 28, 2026· Updated Apr 29, 2026

CVE-2026-4999

CVE-2026-4999

Description

A security vulnerability has been detected in z-9527 admin up to 72aaf2dd05cf4ec2e98f390668b41e128eec5ad2. This issue affects the function uploadFile of the file /server/utils/upload.js of the component isImg Check. The manipulation of the argument fileType leads to path traversal. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Path traversal in z-9527 admin's uploadFile allows authenticated attackers to write arbitrary files via manipulated fileType parameter.

Vulnerability

Description A path traversal vulnerability exists in z-9527 admin up to commit 72aaf2dd05cf4ec2e98f390668b41e128eec5ad2. The function uploadFile in /server/utils/upload.js concatenates the fileType query parameter directly into the filesystem path without validation or canonicalization, enabling directory traversal [1].

Exploitation

An authenticated attacker can craft a request to the /upload endpoint, setting fileType to values containing directory traversal sequences such as ../ to write files outside the intended public/upload-files directory. The optional isImg check can be bypassed, allowing arbitrary file uploads [1].

Impact

Successful exploitation allows an attacker to write arbitrary files to the server filesystem. This can lead to overwriting critical files, introducing malicious scripts, or achieving remote code execution depending on the writable path.

Mitigation

No official patch is available as the vendor did not respond. Mitigations include whitelisting fileType values, canonicalizing and verifying that resolved paths stay within a fixed upload root, rejecting directory-traversal or absolute-path inputs, and storing uploads outside the webroot with least privilege [1].

References
  1. Vulnerabilities/z9527-admin/vulnerability-9 at master · CC-T-454455/Vulnerabilities

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.