CVE 8.7 HIGH

FrontAccounting < 2.4.20 Path Traversal RCE via attachment upload_CVE-2026-40521

8.7 / 10
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

FrontAccounting before 2.4.20 contains a path traversal vulnerability in the attachment upload handler that allows authenticated attackers to execute arbitrary code by uploading files with traversal sequences in the unique_name parameter. Attackers can supply path traversal sequences ../../../shell.php to write files outside the intended attachments directory into the web root, and by uploading PHP files without extension validation, achieve remote code execution as the web server user.

AI Analysis

Path traversal vulnerability in attachment upload handler allowing remote code execution

Basic Information

ID CVE-2026-40521
Source VulnCheck
Published Jun 29, 2026 at 12:30

Affected Product

Vendor FrontAccounting
Product FrontAccounting
Affected Versions FrontAccounting FrontAccounting 0

CWE Classification

AI Assessment

AI Score 8.7 / 10
AI Severity High
Vendor FrontAccounting
Product FrontAccounting
Version < 2.4.20

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.