CRITICAL🇵🇱 Wersja polska

CVE-2026-21628

CVSS 10.0v4.0pub. 2026-03-05upd. 2026-03-13

A improperly secured file management feature allows uploads of dangerous data types for unauthenticated users, leading to remote code execution.

🤖 AI Analysis
How it works

The file management function in Astroid Framework does not require authentication and does not sufficiently verify the types of uploaded files (CWE-434: Unrestricted Upload of File with Dangerous Type). An attacker can upload an executable file (e.g., PHP webshell) to the server without needing any permissions. Once the file is placed on the server, it can be executed remotely, resulting in arbitrary code execution in the context of the application server.

Impact

An unauthenticated attacker can gain full control over the server by executing arbitrary code remotely (RCE), which can lead to complete system compromise, data theft, and further lateral movement within the network.

Mitigation & patch

Patches available from the vendor should be applied according to the references. Until the fix is deployed, it is recommended to restrict access to file management functions at the firewall or web server level and disable the ability to execute files in directories designated for uploads.

Who is affected

Templaza Astroid Framework — versions indicated in the vendor's references (https://astroidframe.work)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X
  • Templaza Astroid Framework

    APP
    Templaza
    2.0.0 – 3.3.10
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References