CRITICAL🇵🇱 Wersja polska

CVE-2026-36767

CVSS 10.0v3.1pub. 2026-04-30

A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request.

🤖 AI Analysis
How it works

The /content/images/add endpoint does not properly validate the target path of uploaded files. An attacker sends a crafted HTTP POST request containing path traversal sequences (e.g., '../'), which allows escaping the permitted directory and writing files to any location accessible by the server process. The attack requires no authentication or user interaction.

Impact

An attacker can write arbitrary files — including malicious executable code (e.g., web shell) — to accessible system directories, which in practice can lead to server compromise (RCE), data disclosure, or complete integrity breach of the application and operating system.

Mitigation & patch

Apply patches available from the vendor according to the references. As a temporary workaround, restrict access to the /content/images/add endpoint at the firewall or web server level and require authentication for all content management operations.

Who is affected

Shopizer version 3.2.5

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References