Cyber Resilience

CVE-2026-2684

Medium

Published: 19 February 2026

Published
19 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0049 38.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2684 is a medium-severity Improper Access Control (CWE-284) vulnerability in Unigroup Electronic Archives System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2684 is an unrestricted file upload vulnerability in Tsinghua Unigroup Electronic Archives System versions up to 3.2.210802(62532). The issue resides in an unknown function within the /Archive/ErecordManage/uploadFile.html file, where manipulation of the "File" argument enables attackers to upload arbitrary files. It is associated with CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), carrying a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote attackers require only network access and can exploit this with low complexity and no privileges or user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to upload malicious files that could lead to further compromise depending on server configuration and file handling.

No vendor response or patch is available despite early disclosure contact. Advisories note that proof-of-concept exploits are publicly disclosed and may be utilized, with details and code available in GitHub repositories such as https://github.com/luoye197-prog/ziguang-fileupload and https://github.com/luoye197-prog/ziguang-fileupload/blob/main/introduce%26poc, alongside VulDB entries like https://vuldb.com/?ctiid.346475.

Security practitioners should restrict network access to affected systems, monitor upload endpoints for anomalies, and review the referenced POCs to assess exposure, as no official mitigations exist.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was determined in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). The impacted element is an unknown function of the file /Archive/ErecordManage/uploadFile.html. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be…

more

launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in public-facing web app directly enables T1190 exploitation; facilitates arbitrary file ingress (T1105) and web shell deployment (T1505.003) for further compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2682Same product: Unigroup Electronic Archives System
CVE-2026-3025Shared CWE-284, CWE-434
CVE-2025-0460Shared CWE-284, CWE-434
CVE-2025-1555Shared CWE-284, CWE-434
CVE-2026-2977Shared CWE-284, CWE-434
CVE-2026-4201Shared CWE-284, CWE-434
CVE-2025-2350Shared CWE-284, CWE-434
CVE-2026-2978Shared CWE-284, CWE-434
CVE-2025-2115Shared CWE-284, CWE-434
CVE-2026-4221Shared CWE-284, CWE-434

Affected Assets

unigroup
electronic archives system
≤ 3.2.210802\(62532\)

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of uploaded file content and type to block arbitrary or dangerous files via the File argument.

prevent

Restricts network access to the exposed /Archive/ErecordManage/uploadFile.html endpoint, eliminating remote unauthenticated exploitation.

preventdetect

Applies malicious-code scanning to uploaded files before they are stored or executed, limiting impact of CWE-434 uploads.

References