CVE-2026-2684
Published: 19 February 2026
Summary
CVE-2026-2684 is a medium-severity Improper Access Control (CWE-284) vulnerability in Unigroup Electronic Archives System. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-2684 is an unrestricted file upload vulnerability in Tsinghua Unigroup Electronic Archives System versions up to 3.2.210802(62532). The issue resides in an unknown function within the /Archive/ErecordManage/uploadFile.html file, where manipulation of the "File" argument enables attackers to upload arbitrary files. It is associated with CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), carrying a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers require only network access and can exploit this with low complexity and no privileges or user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to upload malicious files that could lead to further compromise depending on server configuration and file handling.
No vendor response or patch is available despite early disclosure contact. Advisories note that proof-of-concept exploits are publicly disclosed and may be utilized, with details and code available in GitHub repositories such as https://github.com/luoye197-prog/ziguang-fileupload and https://github.com/luoye197-prog/ziguang-fileupload/blob/main/introduce%26poc, alongside VulDB entries like https://vuldb.com/?ctiid.346475.
Security practitioners should restrict network access to affected systems, monitor upload endpoints for anomalies, and review the referenced POCs to assess exposure, as no official mitigations exist.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7628
Vulnerability details
A vulnerability was determined in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). The impacted element is an unknown function of the file /Archive/ErecordManage/uploadFile.html. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be…
more
launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in public-facing web app directly enables T1190 exploitation; facilitates arbitrary file ingress (T1105) and web shell deployment (T1505.003) for further compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of uploaded file content and type to block arbitrary or dangerous files via the File argument.
Restricts network access to the exposed /Archive/ErecordManage/uploadFile.html endpoint, eliminating remote unauthenticated exploitation.
Applies malicious-code scanning to uploaded files before they are stored or executed, limiting impact of CWE-434 uploads.