Cyber Resilience

CVE-2026-2146

MediumPublic PoC

Published: 08 February 2026

Published
08 February 2026
Modified
17 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0030 21.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2146 is a medium-severity Improper Access Control (CWE-284) vulnerability in Guchengwuyue Yshopmall. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2146 is an unrestricted file upload vulnerability affecting guchengwuyue yshopmall versions up to 1.9.1. The flaw resides in the updateAvatar function within the /api/users/updateAvatar endpoint of the co.yixiang.utils.FileUtil component. By manipulating the File argument, attackers can upload arbitrary files remotely, as documented in the CVE description with associated CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The attack requires low privileges (PR:L), meaning an authenticated user with basic access can exploit it over the network with low complexity and no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, primarily through the upload of potentially malicious files that could lead to further compromise depending on server configuration and file handling.

Advisories from VulDB (ctiid.344848 and id.344848) and GitHub issue #40 in the yshopmall repository detail the issue, noting that the project was informed early via an issue report but has not responded or released patches as of the CVE publication on 2026-02-08. No official mitigations or fixes are available, so practitioners should restrict access to the affected endpoint, validate file uploads strictly, and monitor for exploit attempts.

Notably, a public exploit has been released, increasing the risk of active attacks against unpatched instances.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible…

more

to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload (CWE-434) directly enables deployment of web shells on the server via the exposed API endpoint.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25426Same product: Guchengwuyue Yshopmall
CVE-2025-15496Same product: Guchengwuyue Yshopmall
CVE-2026-1742Shared CWE-284, CWE-434
CVE-2026-1061Shared CWE-284, CWE-434
CVE-2024-13201Shared CWE-284, CWE-434
CVE-2026-1813Shared CWE-284, CWE-434
CVE-2026-0577Shared CWE-284, CWE-434
CVE-2025-7210Shared CWE-284, CWE-434
CVE-2024-13210Shared CWE-284, CWE-434
CVE-2026-4220Shared CWE-284, CWE-434

Affected Assets

guchengwuyue
yshopmall
≤ 1.9.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of uploaded files to reject dangerous types before the updateAvatar function accepts them.

prevent

Enforces access-control policy on the /api/users/updateAvatar endpoint so only explicitly authorized operations on File arguments are permitted.

preventdetect

Scans or blocks malicious content in files uploaded through the vulnerable FileUtil path, limiting post-upload exploitation.

References