Cyber Posture

CVE-2026-36767

Critical

Published: 30 April 2026

Published
30 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0008 24.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-36767 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates path traversal vulnerability by enforcing input validation on file paths in POST requests to the /content/images/add endpoint to block sequences like '../'.

SI-2 Flaw Remediation good match
prevent

Requires timely patching of the specific flaw in Shopizer v3.2.5, with fixes documented in the GitHub repository, to eliminate the arbitrary file write capability.

SC-7 Boundary Protection partial match
prevent

Boundary protection via web application firewalls monitors and blocks crafted POST requests containing path traversal payloads at external interfaces.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Path traversal enables unauthenticated remote arbitrary file write on public-facing app (T1190), direct ingress of malicious payloads/tools (T1105), and deployment of web shells for execution/persistence (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request.

Deeper analysisAI

CVE-2026-36767, published on 2026-04-30, is a path traversal vulnerability (CWE-22) in Shopizer version 3.2.5. The issue affects the /content/images/add endpoint, where attackers can write arbitrary files to any writable path on the server via a crafted POST request. It carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critically severe due to its network accessibility, low attack complexity, lack of prerequisites, and broad impacts across confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability by sending a specially crafted POST request to the vulnerable endpoint. Successful exploitation enables arbitrary file writes to any writable directory, potentially allowing attackers to overwrite critical files, deploy malicious payloads, or escalate privileges depending on server permissions and configuration.

Advisories and mitigation details are available in the Shopizer GitHub repository (https://github.com/shopizer-ecommerce/shopizer) and related issue tracker (https://github.com/shopizer-ecommerce/shopizer/issues/1091), where patches or workarounds may be documented.

Details

CWE(s)
CWE-22

CVEs Like This One

CVE-2026-5027Shared CWE-22
CVE-2025-41714Shared CWE-22
CVE-2026-7411Shared CWE-22
CVE-2025-2707Shared CWE-22
CVE-2025-2363Shared CWE-22
CVE-2026-25732Shared CWE-22
CVE-2026-34414Shared CWE-22
CVE-2026-36760Shared CWE-22
CVE-2026-39308Shared CWE-22
CVE-2025-67684Shared CWE-22

References