CVE-2026-4220
Published: 16 March 2026
Summary
CVE-2026-4220 is a high-severity Improper Access Control (CWE-284) vulnerability in Feishu (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to directly address the improper access control allowing manipulation of targetPath/Suffix for unauthorized file uploads in /SetWebpagePic.jsp.
Validates the validity of targetPath and Suffix inputs to comprehensively prevent unrestricted arbitrary file uploads.
Restricts file types, paths, and input parameters to block unrestricted uploads of dangerous files via the vulnerable endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in public-facing web app (/SetWebpagePic.jsp) directly enables remote exploitation of exposed applications (T1190) and deployment of arbitrary malicious files including web shells (T1505.003) for code execution/persistence.
NVD Description
A vulnerability has been found in Technologies Integrated Management Platform 7.17.0. Affected by this issue is some unknown functionality of the file /SetWebpagePic.jsp. The manipulation of the argument targetPath/Suffix leads to unrestricted upload. The attack may be initiated remotely. The…
more
exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-4220 is an unrestricted file upload vulnerability in Technologies Integrated Management Platform version 7.17.0. The issue affects an unknown functionality within the /SetWebpagePic.jsp file, where manipulation of the targetPath and Suffix arguments allows attackers to upload arbitrary files. This flaw is classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by unauthenticated attackers requiring low complexity and no user interaction. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, potentially allowing attackers to upload malicious files that could lead to further compromise depending on server permissions and file handling.
Advisories from VulDB indicate that the exploit has been publicly disclosed and may be actively used, with references including detailed entries at vuldb.com/?ctiid.351144, vuldb.com/?id.351144, and vuldb.com/?submit.770523, as well as a Feishu document at my.feishu.cn/docx/EA9HdaXaQo80yTxKdw0c3UDmnmD. The vendor was contacted early regarding the disclosure but provided no response, and no patches or mitigations are mentioned in available sources.
Details
- CWE(s)