CVE-2026-50878
Description
Feuerhamster MailForm v1.1.0 does not clean up uploaded attachment temp files, enabling disk-space exhaustion via repeated form submissions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Feuerhamster MailForm v1.1.0 does not clean up uploaded attachment temp files, enabling disk-space exhaustion via repeated form submissions.
Vulnerability
Feuerhamster MailForm v1.1.0, an email form handler, uses Formidable to parse multipart uploads in the route /:target (src/router.ts). The application fails to remove the temporary files created by the parser after processing the email delivery path in src/services/email.ts. This missing cleanup occurs on both failure paths (e.g., unreachable SMTP) and possibly after successful delivery, depending on parser behavior. Affected version: v1.1.0 [1].
Exploitation
An attacker must be able to submit a multipart POST request to a configured /:target route with an attachment. No authentication is required if the form endpoint is public. By repeatedly sending such requests — especially with delivery settings that cause email sending to fail — each submission creates a new temporary file in the server's temporary directory without deletion. The attacker can automate many submissions to progressively fill the filesystem [1].
Impact
Successful exploitation results in persistent accumulation of temporary files in the server's temporary directory. This can lead to denial of service (DoS) via disk space exhaustion. Additionally, if other local users or processes have access to the temporary directory, the residual attachment files may expose sensitive data from submissions [1].
Mitigation
No fix has been released as of the publication date (2026-06-15). The vendor should implement explicit cleanup of temporary files after the email-sending routine completes, regardless of success or failure. Until a patch is available, administrators can mitigate by restricting access to the upload endpoint, setting filesystem disk quotas, or running a cron job to periodically clean the temporary directory of files older than the maximum expected form processing time [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing cleanup of temporary upload files after form submission handling allows persistent disk space accumulation."
Attack vector
An attacker sends a multipart POST request to a configured `/:target` route with a file attachment. By using delivery settings that cause the email send to fail (e.g., unreachable SMTP), the temporary file created by Formidable is never cleaned up. Repeated submissions accumulate attacker-controlled files in the server's temporary directory, leading to disk space exhaustion [ref_id=1].
Affected code
The vulnerability resides in the attachment handling lifecycle of MailForm v1.1.0. The route in `src/router.ts` accepts multipart submissions and parses them with Formidable, passing the attachment path to the email-sending service in `src/services/email.ts`. Neither the success nor failure paths remove the parser-created temporary file after the application has finished using it.
What the fix does
The advisory does not include a published patch. The recommended remediation is to ensure that temporary upload files created by Formidable are explicitly removed after the email delivery path no longer needs them, covering both success and failure paths [ref_id=1]. Without such cleanup, the server remains vulnerable to persistent disk space accumulation.
Preconditions
- configMailForm v1.1.0 must be running with a configured /:target route
- networkAttacker must be able to send multipart POST requests with file attachments
- configEmail delivery must fail (e.g., unreachable SMTP) or cleanup must be absent on success
Reproduction
Start MailForm 1.1.0 with a known writable TMPDIR and a configured /:target route. Count files in the temporary directory before submitting a request. Send a multipart POST /:target request with one file attachment and use delivery settings that make the email send fail, such as unreachable SMTP settings. Count the temporary directory again and observe one new Formidable upload file. Repeat the same request and observe the count increase again, for example from 0 to 1 to 2 [ref_id=1].
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.