Cyber Resilience

CVE-2026-4220

Medium

Published: 16 March 2026

Published
16 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 18.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4220 is a medium-severity Improper Access Control (CWE-284) vulnerability in Feishu (inferred from references). Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-4220 is an unrestricted file upload vulnerability in Technologies Integrated Management Platform version 7.17.0. The issue affects an unknown functionality within the /SetWebpagePic.jsp file, where manipulation of the targetPath and Suffix arguments allows attackers to upload arbitrary files. This flaw is classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by unauthenticated attackers requiring low complexity and no user interaction. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, potentially allowing attackers to upload malicious files that could lead to further compromise depending on server permissions and file handling.

Advisories from VulDB indicate that the exploit has been publicly disclosed and may be actively used, with references including detailed entries at vuldb.com/?ctiid.351144, vuldb.com/?id.351144, and vuldb.com/?submit.770523, as well as a Feishu document at my.feishu.cn/docx/EA9HdaXaQo80yTxKdw0c3UDmnmD. The vendor was contacted early regarding the disclosure but provided no response, and no patches or mitigations are mentioned in available sources.

EU & UK References

Vulnerability details

A vulnerability has been found in Technologies Integrated Management Platform 7.17.0. Affected by this issue is some unknown functionality of the file /SetWebpagePic.jsp. The manipulation of the argument targetPath/Suffix leads to unrestricted upload. The attack may be initiated remotely. The…

more

exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in public-facing web app (/SetWebpagePic.jsp) directly enables remote exploitation of exposed applications (T1190) and deployment of arbitrary malicious files including web shells (T1505.003) for code execution/persistence.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13144Shared CWE-284, CWE-434
CVE-2025-8255Shared CWE-284, CWE-434
CVE-2025-2219Shared CWE-284, CWE-434
CVE-2025-7413Shared CWE-284, CWE-434
CVE-2025-0341Shared CWE-284, CWE-434
CVE-2026-3748Shared CWE-284, CWE-434
CVE-2026-2666Shared CWE-284, CWE-434
CVE-2026-2979Shared CWE-284, CWE-434
CVE-2026-3800Shared CWE-284, CWE-434
CVE-2025-1355Shared CWE-284, CWE-434

Affected Assets

Feishu
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to directly address the improper access control allowing manipulation of targetPath/Suffix for unauthorized file uploads in /SetWebpagePic.jsp.

prevent

Validates the validity of targetPath and Suffix inputs to comprehensively prevent unrestricted arbitrary file uploads.

prevent

Restricts file types, paths, and input parameters to block unrestricted uploads of dangerous files via the vulnerable endpoint.

References