{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2146", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-07T07:49:51.903Z", "datePublished": "2026-02-08T09:32:07.064Z", "dateUpdated": "2026-02-23T09:40:29.328Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:40:29.328Z"}, "title": "guchengwuyue yshopmall co.yixiang.utils.FileUtil updateAvatar unrestricted upload", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-434", "lang": "en", "description": "Unrestricted Upload"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "Improper Access Controls"}]}], "affected": [{"vendor": "guchengwuyue", "product": "yshopmall", "versions": [{"version": "1.9.0", "status": "affected"}, {"version": "1.9.1", "status": "affected"}], "cpes": ["cpe:2.3:a:guchengwuyue:yshopmall:*:*:*:*:*:*:*:*"], "modules": ["co.yixiang.utils.FileUtil"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-07T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-07T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-18T02:23:40.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "mukyuuhate (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.344848", "name": "VDB-344848 | guchengwuyue yshopmall co.yixiang.utils.FileUtil updateAvatar unrestricted upload", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344848", "name": "VDB-344848 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.747409", "name": "Submit #747409 | https://github.com/guchengwuyue/yshopmall yshopmall V1.9.1 Incomplete Identification of Uploaded File Variables", "tags": ["third-party-advisory"]}, {"url": "https://github.com/guchengwuyue/yshopmall/issues/40", "tags": ["issue-tracking"]}, {"url": "https://github.com/guchengwuyue/yshopmall/issues/40#issue-3860542812", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/guchengwuyue/yshopmall/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T21:19:14.862797Z", "id": "CVE-2026-2146", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T21:19:22.192Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2146", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T21:19:14.862797Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T21:19:18.748Z"}}], "cna": {"title": "guchengwuyue yshopmall co.yixiang.utils.FileUtil updateAvatar unrestricted upload", "credits": [{"lang": "en", "type": "reporter", "value": "mukyuuhate (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:guchengwuyue:yshopmall:*:*:*:*:*:*:*:*"], "vendor": "guchengwuyue", "modules": ["co.yixiang.utils.FileUtil"], "product": "yshopmall", "versions": [{"status": "affected", "version": "1.9.0"}, {"status": "affected", "version": "1.9.1"}]}], "timeline": [{"lang": "en", "time": "2026-02-07T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-07T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-18T02:23:40.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.344848", "name": "VDB-344848 | guchengwuyue yshopmall co.yixiang.utils.FileUtil updateAvatar unrestricted upload", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344848", "name": "VDB-344848 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.747409", "name": "Submit #747409 | https://github.com/guchengwuyue/yshopmall yshopmall V1.9.1 Incomplete Identification of Uploaded File Variables", "tags": ["third-party-advisory"]}, {"url": "https://github.com/guchengwuyue/yshopmall/issues/40", "tags": ["issue-tracking"]}, {"url": "https://github.com/guchengwuyue/yshopmall/issues/40#issue-3860542812", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/guchengwuyue/yshopmall/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "Unrestricted Upload"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "Improper Access Controls"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:40:29.328Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2146", "state": "PUBLISHED", "dateUpdated": "2026-02-23T09:40:29.328Z", "dateReserved": "2026-02-07T07:49:51.903Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-08T09:32:07.064Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:guchengwuyue:yshopmall:*:*:*:*:*:*:*:*", "matchCriteriaId": "59DA2DC7-2594-494A-959C-2CDDF504605F", "versionEndIncluding": "1.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad de seguridad en guchengwuyue yshopmall hasta la versi\u00f3n 1.9.1. Esto afecta a la funci\u00f3n updateAvatar del archivo /API/users/updateAvatar del componente co.yixiang.utils.FileUtil. Realizar una manipulaci\u00f3n del argumento File resulta en una carga sin restricciones. El ataque puede ser llevado a cabo de forma remota. El exploit ha sido publicado y puede ser utilizado para ataques. El proyecto fue informado del problema tempranamente a trav\u00e9s de un informe de incidencias, pero a\u00fan no ha respondido."}], "id": "CVE-2026-2146", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-08T10:15:49.467", "references": [{"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://github.com/guchengwuyue/yshopmall/"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/guchengwuyue/yshopmall/issues/40"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/guchengwuyue/yshopmall/issues/40#issue-3860542812"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.344848"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.344848"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.747409"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}], "source": "cna@vuldb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T13:16:40.036748+00:00", "value": {"mitigation_remediation": ["Apply any vendor-supplied patch or newer release that fixes the unrestricted upload in updateAvatar and verify that the handler now performs proper file type validation.", "If a patch is not available, temporarily disable the updateAvatar endpoint or prevent unauthenticated users from accessing it.", "Implement server\u2011side validation that accepts only image files (e.g., .jpg, .png, .gif) and rejects all other file types.", "Enforce strict access control so that only authenticated users with appropriate roles can execute the updateAvatar operation."], "summary": {"action": "Patch Promptly", "impact": "Unrestricted File Upload"}, "threat_synthesis": {"affected_systems": "Affected systems include the YSHOPMall application provided by guchengwuyue, versions up to and including 1.9.1. The vulnerability resides in /api/users/updateAvatar and any installation running a vulnerable version without an applied fix is exposed. No other versions beyond 1.9.1 have been verified as secure, so users must confirm their local installation version and upgrade if necessary.", "description_and_impact": "The flaw is located in the updateAvatar endpoint of the co.yixiang.utils.FileUtil component. A malicious user can manipulate the File argument to bypass server validation and upload any file type. Because the upload is unrestricted, an attacker could potentially place executable scripts or web shells on the server, leading to remote code execution or other malicious activity. The CVSS score of 5.3 indicates moderate severity, and the attack can be carried out remotely, as stated in the description.", "risk_and_exploitability": "Risk assessment shows a moderate CVSS score of 5.3 and an EPSS of less than 1%, indicating a low but non\u2011zero exploitation probability. The flaw is not listed in CISA\u2019s KEV catalog, yet a public exploit exists and the remote nature of the issue means attackers can trigger it over the Internet. The vulnerability hinges on insufficient file type validation (CWE\u2011434) and lack of proper access control (CWE\u2011284), forming the basis of the attack path. Organizations using YSHOPMall should treat this flaw as a security risk that requires prompt attention."}}}}, "created": "2026-02-09T10:40:22.432651+00:00", "updated": "2026-04-18T13:30:45.731987+00:00", "vendors": ["guchengwuyue", "guchengwuyue$PRODUCT$yshopmall"]}