{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34735", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T18:41:20.754Z", "datePublished": "2026-04-02T18:23:26.441Z", "dateUpdated": "2026-04-02T19:14:04.735Z"}, "containers": {"cna": {"title": "Hytale Modding Vulnerable to Remote Code Execution via File Upload Bypass in `FileController`", "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/HytaleModding/wiki/security/advisories/GHSA-2xqq-6778-h4j9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/HytaleModding/wiki/security/advisories/GHSA-2xqq-6778-h4j9"}], "affected": [{"vendor": "HytaleModding", "product": "wiki", "versions": [{"version": "<= 1.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:23:26.441Z"}, "descriptions": [{"lang": "en", "value": "The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. In version 1.2.0 and prior, the quickUpload() endpoint validates uploaded files by checking their MIME type (via PHP's finfo, which inspects file contents) but constructs the stored filename using the client-supplied file extension from getClientOriginalExtension(). These two checks are independent: an attacker can upload a file whose content passes the MIME allowlist while using a .php extension. The file is stored on the public disk and is directly accessible via URL, allowing server-side code execution. At time of publication no known patches exist."}], "source": {"advisory": "GHSA-2xqq-6778-h4j9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T19:13:55.289776Z", "id": "CVE-2026-34735", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T19:14:04.735Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34735", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T19:13:55.289776Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T19:14:00.137Z"}}], "cna": {"title": "Hytale Modding Vulnerable to Remote Code Execution via File Upload Bypass in `FileController`", "source": {"advisory": "GHSA-2xqq-6778-h4j9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "HytaleModding", "product": "wiki", "versions": [{"status": "affected", "version": "<= 1.2.0"}]}], "references": [{"url": "https://github.com/HytaleModding/wiki/security/advisories/GHSA-2xqq-6778-h4j9", "name": "https://github.com/HytaleModding/wiki/security/advisories/GHSA-2xqq-6778-h4j9", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. In version 1.2.0 and prior, the quickUpload() endpoint validates uploaded files by checking their MIME type (via PHP's finfo, which inspects file contents) but constructs the stored filename using the client-supplied file extension from getClientOriginalExtension(). These two checks are independent: an attacker can upload a file whose content passes the MIME allowlist while using a .php extension. The file is stored on the public disk and is directly accessible via URL, allowing server-side code execution. At time of publication no known patches exist."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:23:26.441Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34735", "state": "PUBLISHED", "dateUpdated": "2026-04-02T19:14:04.735Z", "dateReserved": "2026-03-30T18:41:20.754Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T18:23:26.441Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. In version 1.2.0 and prior, the quickUpload() endpoint validates uploaded files by checking their MIME type (via PHP's finfo, which inspects file contents) but constructs the stored filename using the client-supplied file extension from getClientOriginalExtension(). These two checks are independent: an attacker can upload a file whose content passes the MIME allowlist while using a .php extension. The file is stored on the public disk and is directly accessible via URL, allowing server-side code execution. At time of publication no known patches exist."}], "id": "CVE-2026-34735", "lastModified": "2026-04-16T14:45:19.723", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T19:21:32.723", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/HytaleModding/wiki/security/advisories/GHSA-2xqq-6778-h4j9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "wiki", "source": "cna", "vendor": "HytaleModding"}, "product": "wiki", "vendor": "hytalemodding"}], "analysis": {"en": {"generated_at": "2026-04-02T22:23:55.192093+00:00", "value": {"mitigation_remediation": ["Contact the Hytale Modding support team to request an urgent fix or an update for the affected service.", "Modify the upload handling logic to reject or block files with executable extensions such as .php, .phtml, or .exe.", "Remove execute permissions from the directory where uploaded files are stored, ensuring only static content can be served.", "Configure the web server to disable PHP execution in the upload directory (e.g., via .htaccess or server configuration).", "Enforce a strict whitelist of allowed file extensions (e.g., .jpg, .png, .md) for all uploads.", "Enable detailed logging of file\u2011upload activities and regularly review logs for anomalous files.", "If an immediate fix cannot be applied, consider temporarily disabling the quickUpload endpoint or relocating the wiki to a host with hardened file\u2011serve settings."], "summary": {"action": "Mitigate", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects the Hytale Modding Wiki service, which hosts documentation and wikis for Hytale mods. Versions 1.2.0 and earlier are vulnerable, and no official patch has been released at the time of this advisory.", "description_and_impact": "The vulnerability lies in the Hytale Modding Wiki\u2019s quickUpload endpoint, which validates uploaded files only by inspecting MIME type with PHP\u2019s finfo library. However, the filename stored on disk is built from the client\u2011supplied file extension without cross\u2011checking the MIME type against that extension. An attacker can therefore upload a file whose contents satisfy the allowed MIME type but whose extension is .php. The file is written to a publicly accessible directory and can be executed as PHP code, giving the attacker full remote code execution on the server. This is a type\u2011of\u2011upload\u2011vulnerability categorized as CWE\u2011434, capable of compromising confidentiality, integrity, and availability of the host system.", "risk_and_exploitability": "With a CVSS score of 8.7 the vulnerability is considered High. No EPSS score is available and the issue is not listed in CISA\u2019s KEV catalog. The likely attack vector is remote via the public file\u2011upload API; the attacker only needs to supply a file that passes the MIME check while naming it with a .php extension. If the public upload directory allows execution of PHP files, the attacker immediately achieves remote code execution, which can lead to full system compromise."}}}}, "created": "2026-04-03T07:31:48.664747+00:00", "updated": "2026-04-03T09:16:48.057612+00:00", "vendors": ["hytalemodding", "hytalemodding$PRODUCT$wiki"]}