CVE-2026-3748

MediumPublic PoC

Published: 08 March 2026

Published

08 March 2026

Modified

10 March 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0014 33.2th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3748 is a medium-severity Improper Access Control (CWE-284) vulnerability in Bytedesk Bytedesk. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the unrestricted file upload flaw via patching to version 1.4.5.1.

SI-10 Information Input Validation good match

prevent

Mandates validation of uploaded files at entry points to block dangerous types like malicious SVGs, directly countering CWE-434.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for file upload operations, addressing CWE-284 improper access control exploitable by low-privileged remote users.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Unrestricted file upload vulnerability in public-facing Bytedesk application enables exploitation of public-facing application (T1190) and facilitates deployment of web shells via upload of malicious files (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A security flaw has been discovered in Bytedesk up to 1.3.9. This affects the function uploadFile of the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestController.java of the component SVG File Handler. Performing a manipulation results in unrestricted upload. Remote exploitation of the attack is possible.…

The exploit has been released to the public and may be used for attacks. Upgrading to version 1.4.5.1 is able to mitigate this issue. The patch is named 975e39e4dd527596987559f56c5f9f973f64eff7. Upgrading the affected component is recommended.

Deeper analysisAI

CVE-2026-3748 is a vulnerability in Bytedesk versions up to 1.3.9 that enables unrestricted file upload. It affects the uploadFile function in the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestController.java within the SVG File Handler component.

The vulnerability has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating it can be exploited remotely over the network with low complexity by an attacker possessing low privileges, without requiring user interaction and with unchanged scope. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, stemming from CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). Remote exploitation is possible, and a public exploit has been released.

Mitigation involves upgrading to Bytedesk version 1.4.5.1, which addresses the issue via the patch commit 975e39e4dd527596987559f56c5f9f973f64eff7. Upgrading the affected component is recommended, with details available in the project's GitHub repository, commit history, and related issues.

The exploit's public release increases the risk of attacks against unpatched Bytedesk instances.

Details

CWE(s): CWE-284 CWE-434

Affected Products

bytedesk

≤ 1.4.5.1

CVEs Like This One

CVE-2026-3749Same product: Bytedesk Bytedesk

CVE-2026-3789Same product: Bytedesk Bytedesk

CVE-2026-3788Same product: Bytedesk Bytedesk

CVE-2026-3800Shared CWE-284, CWE-434

CVE-2025-1598Shared CWE-284, CWE-434

CVE-2024-13191Shared CWE-284, CWE-434

CVE-2026-4191Shared CWE-284, CWE-434

CVE-2024-13144Shared CWE-284, CWE-434

CVE-2025-1355Shared CWE-284, CWE-434

CVE-2025-7190Shared CWE-284, CWE-434

References

https://github.com/Bytedesk/bytedesk/
Product · cna@vuldb.com
https://github.com/Bytedesk/bytedesk/commit/975e39e4dd527596987559f56c5f9f973f64eff7
Patch · cna@vuldb.com
https://github.com/Bytedesk/bytedesk/issues/18
Exploit, Vendor Advisory, Issue Tracking · cna@vuldb.com
https://github.com/Bytedesk/bytedesk/issues/18#issue-3993448721
Exploit, Vendor Advisory, Issue Tracking · cna@vuldb.com
https://github.com/Bytedesk/bytedesk/issues/18#issuecomment-3976672973
Exploit, Vendor Advisory, Issue Tracking · cna@vuldb.com
https://github.com/Bytedesk/bytedesk/releases/tag/v1.4.5.1
Release Notes · cna@vuldb.com
https://vuldb.com/?ctiid.349726
Permissions Required · cna@vuldb.com
https://vuldb.com/?id.349726
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.768028
Third Party Advisory, VDB Entry · cna@vuldb.com