CVE-2026-2146HIGH 8.8EPSS p21.3%

CVE-2026-2146CVE-2026-2146

Description

A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.30% probability of exploitation · percentile 21.3% · 2026-06-19T12:03:05Z
Published2026-02-08
Last modified2026-04-29

Underlying weaknesses· 2

CWE-284CWE-434

References

  1. https://github.com/guchengwuyue/yshopmall/
  2. https://github.com/guchengwuyue/yshopmall/issues/40
  3. https://github.com/guchengwuyue/yshopmall/issues/40#issue-3860542812
  4. https://vuldb.com/?ctiid.344848
  5. https://vuldb.com/?id.344848
  6. https://vuldb.com/?submit.747409

2

TypeTargetConfidenceTier
WeaknessImproper Access Controlcwe-2840%live
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-1061
CVE
CVE-2025-4258
CVE
CVE-2026-1107
CVE
CVE-2025-14086
CVE
CVE-2025-3558
CVE
CVE-2025-15496
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.