CVE-2026-2146
Published: 08 February 2026
Summary
CVE-2026-2146 is a medium-severity Improper Access Control (CWE-284) vulnerability in Guchengwuyue Yshopmall. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-2146 is an unrestricted file upload vulnerability affecting guchengwuyue yshopmall versions up to 1.9.1. The flaw resides in the updateAvatar function within the /api/users/updateAvatar endpoint of the co.yixiang.utils.FileUtil component. By manipulating the File argument, attackers can upload arbitrary files remotely, as documented in the CVE description with associated CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The attack requires low privileges (PR:L), meaning an authenticated user with basic access can exploit it over the network with low complexity and no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, primarily through the upload of potentially malicious files that could lead to further compromise depending on server configuration and file handling.
Advisories from VulDB (ctiid.344848 and id.344848) and GitHub issue #40 in the yshopmall repository detail the issue, noting that the project was informed early via an issue report but has not responded or released patches as of the CVE publication on 2026-02-08. No official mitigations or fixes are available, so practitioners should restrict access to the affected endpoint, validate file uploads strictly, and monitor for exploit attempts.
Notably, a public exploit has been released, increasing the risk of active attacks against unpatched instances.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5803
Vulnerability details
A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible…
more
to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload (CWE-434) directly enables deployment of web shells on the server via the exposed API endpoint.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of uploaded files to reject dangerous types before the updateAvatar function accepts them.
Enforces access-control policy on the /api/users/updateAvatar endpoint so only explicitly authorized operations on File arguments are permitted.
Scans or blocks malicious content in files uploaded through the vulnerable FileUtil path, limiting post-upload exploitation.