CVE-2026-36760

critical

Published 2026-04-30 · Modified 2026-04-30

CVSS v3

9.6

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

VIR risk

9.6

Description

An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations while chunked upload is enabled.

Predictions

Exploit likelihood

96%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

References

https://github.com/thinkgem/jeesite
https://github.com/thinkgem/jeesite/issues/530
https://github.com/thinkgem/jeesite/issues/530

CWEs

CWE-22

💬 Discuss CVE-2026-36760 on VIR Community →

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.