xiweicheng TMS, Unrestricted File Upload, CVE-2026-1061 (MEDIUM)

Listen to this Post

A vulnerability classified as CVE-2026-1061 exists in xiweicheng TMS up to version 2.28.0. The issue resides in the `Upload` function within the `FileController.java` file. The vulnerability stems from improper handling of the `filename` argument, allowing an attacker to manipulate it to bypass restrictions. This results in an unrestricted file upload capability, meaning the application fails to validate the type or content of the uploaded file. Because the upload functionality is accessible remotely, an authenticated attacker can upload malicious files, such as web shells or executable scripts, to the server. The exploitation technique is relatively simple, requiring only a crafted HTTP request to the upload endpoint. With a public exploit now available, the risk of active exploitation is heightened. The CVSS v4.0 score for this vulnerability is 5.3 (Medium), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P.

DailyCVE Form:

Platform: xiweicheng TMS
Version: Up to 2.28.0
Vulnerability: Unrestricted File Upload
Severity: MEDIUM
Date: 01/17/2026

Prediction: 30 days

What Undercode Say:

Analytics:

The vulnerability is caused by missing validation on the `filename` parameter in the upload controller. Attackers can exploit this by sending a POST request with a file containing a malicious extension (e.g., `.jsp` or .php). Below are commands to test and identify vulnerable instances.

Detection & Exploit:

Use curl to attempt uploading a test PHP file to a vulnerable TMS server
This is for educational purposes only on authorized systems.
curl -X POST -F "[email protected]" -F "filename=shell.php" http://target-tms.com/file/upload
Simple bash one-liner to check if the server allows the upload
Look for a response containing the path to the uploaded file.
curl -s -o /dev/null -w "%{http_code}" -F "[email protected]" -F "filename=test.txt" http://target-tms.com/file/upload
Grep search to find vulnerable controller code in a codebase
grep -r "FileController.java" --include=".java" -A 10 -B 10 | grep "upload"

Protection from this CVE:

Implement strict file type validation based on content (MIME type), not just the file extension.
Sanitize the filename parameter to remove or encode any path traversal characters (e.g., .., /).
Store uploaded files outside the web root and serve them via a script that enforces access controls.
Apply the official patch from the vendor once released and update to a secure version.

Impact:

Remote code execution on the server if a web shell is uploaded.
Complete compromise of the web application and server data.

Defacement of the website or data loss.

Use of the compromised server as a pivot point for further attacks inside the network.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top