Cyber Resilience

CVE-2026-36767

Critical

Published: 30 April 2026

Published
30 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0041 33.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-36767 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-36767, published on 2026-04-30, is a path traversal vulnerability (CWE-22) in Shopizer version 3.2.5. The issue affects the /content/images/add endpoint, where attackers can write arbitrary files to any writable path on the server via a crafted POST request. It carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critically severe due to its network accessibility, low attack complexity, lack of prerequisites, and broad impacts across confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability by sending a specially crafted POST request to the vulnerable endpoint. Successful exploitation enables arbitrary file writes to any writable directory, potentially allowing attackers to overwrite critical files, deploy malicious payloads, or escalate privileges depending on server permissions and configuration.

Advisories and mitigation details are available in the Shopizer GitHub repository (https://github.com/shopizer-ecommerce/shopizer) and related issue tracker (https://github.com/shopizer-ecommerce/shopizer/issues/1091), where patches or workarounds may be documented.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Path traversal enables unauthenticated remote arbitrary file write on public-facing app (T1190), direct ingress of malicious payloads/tools (T1105), and deployment of web shells for execution/persistence (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7411Shared CWE-22
CVE-2026-5027Shared CWE-22
CVE-2025-41714Shared CWE-22
CVE-2025-2363Shared CWE-22
CVE-2025-2707Shared CWE-22
CVE-2025-24406Shared CWE-22
CVE-2026-24848Shared CWE-22
CVE-2024-11642Shared CWE-22
CVE-2026-36760Shared CWE-22
CVE-2026-27969Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates path traversal vulnerability by enforcing input validation on file paths in POST requests to the /content/images/add endpoint to block sequences like '../'.

prevent

Requires timely patching of the specific flaw in Shopizer v3.2.5, with fixes documented in the GitHub repository, to eliminate the arbitrary file write capability.

prevent

Boundary protection via web application firewalls monitors and blocks crafted POST requests containing path traversal payloads at external interfaces.

References