guchengwuyue yshopmall co.yixiang.utils.FileUtil updateAvatar unrestricted upload_CVE-2026-2146

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Basic Information

ID CVE-2026-2146

Source VulDB

Published Feb 8, 2026 at 09:32

Affected Product

Vendor guchengwuyue

Product yshopmall

Version 1.9.0

Affected Versions guchengwuyue yshopmall 1.9.0
guchengwuyue yshopmall 1.9.1

CWE Classification

CWE-434 CWE-284

References

{
    "lastseen": "",
    "description": "A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.",
    "published": "2026-02-08T09:32:07.064Z",
    "modified": "2026-02-08T09:32:07.064Z",
    "type": "cve",
    "title": "guchengwuyue yshopmall co.yixiang.utils.FileUtil updateAvatar unrestricted upload",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.344848\nhttps://vuldb.com/?ctiid.344848\nhttps://vuldb.com/?submit.747409\nhttps://github.com/guchengwuyue/yshopmall/issues/40\nhttps://github.com/guchengwuyue/yshopmall/issues/40#issue-3860542812\nhttps://github.com/guchengwuyue/yshopmall/",
    "id": "CVE-2026-2146",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434",
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "guchengwuyue yshopmall 1.9.0\nguchengwuyue yshopmall 1.9.1",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "yshopmall",
    "version": "1.9.0",
    "vendor": "guchengwuyue",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}