Cyber Resilience

CVE-2026-3749

MediumPublic PoC

Published: 08 March 2026

Published
08 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3749 is a medium-severity Improper Access Control (CWE-284) vulnerability in Bytedesk Bytedesk. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3749 is an unrestricted file upload vulnerability affecting Bytedesk versions up to 1.3.9. The issue resides in the handleFileUpload function within the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestService.java of the SVG File Handler component. This weakness, tied to CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), allows manipulation that bypasses file upload restrictions.

The vulnerability can be exploited remotely by a low-privileged user (PR:L) over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), earning a CVSS v3.1 base score of 6.3 (C:L/I:L/A:L). Successful exploitation enables limited confidentiality, integrity, and availability impacts through unrestricted file uploads, with a public exploit available for potential attacks.

Mitigation is addressed by upgrading to Bytedesk version 1.4.5.1, which includes the patch commit 975e39e4dd527596987559f56c5f9f973f64eff7. Additional details are available in the project's GitHub repository, including issue #19 and related comments.

Exploitation in the wild has not been reported, but the public availability of the exploit increases risk for unpatched instances.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A weakness has been identified in Bytedesk up to 1.3.9. This vulnerability affects the function handleFileUpload of the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestService.java of the component SVG File Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely.…

more

The exploit has been made available to the public and could be used for attacks. Upgrading to version 1.4.5.1 is able to resolve this issue. This patch is called 975e39e4dd527596987559f56c5f9f973f64eff7. It is recommended to upgrade the affected component.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in public-facing web application (Bytedesk) enables remote exploitation for initial access (T1190) and facilitates web shell deployment (T1100) via upload of malicious files like JSP shells.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3748Same product: Bytedesk Bytedesk
CVE-2026-3789Same product: Bytedesk Bytedesk
CVE-2026-3788Same product: Bytedesk Bytedesk
CVE-2026-4220Shared CWE-284, CWE-434
CVE-2026-0547Shared CWE-284, CWE-434
CVE-2025-7755Shared CWE-284, CWE-434
CVE-2025-1598Shared CWE-284, CWE-434
CVE-2025-15404Shared CWE-284, CWE-434
CVE-2025-15503Shared CWE-284, CWE-434
CVE-2025-9476Shared CWE-284, CWE-434

Affected Assets

bytedesk
bytedesk
≤ 1.4.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation through patching, directly addressing the unrestricted file upload vulnerability fixed in Bytedesk 1.4.5.1.

prevent

SI-10 mandates validation of information inputs like file uploads, preventing exploitation of the handleFileUpload function by rejecting dangerous file types or malformed content.

prevent

SI-9 enforces restrictions on input types such as file extensions in the SVG File Handler, blocking unrestricted uploads of dangerous files.

References