Login Sign Up

CVE-2026-2146

6.3 MEDIUM

📋 TL;DR

This vulnerability allows remote attackers to upload arbitrary files without restrictions through the updateAvatar function in guchengwuyue yshopmall. Attackers can exploit this to upload malicious files, potentially leading to server compromise. All users running yshopmall version 1.9.1 or earlier are affected.

💻 Affected Systems

Products:
  • guchengwuyue yshopmall
Versions: up to 1.9.1
Operating Systems: All platforms running yshopmall
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the FileUtil component in /api/users/updateAvatar endpoint

📦 What is this software?

Yshopmall by Guchengwuyue

View all CVEs affecting Yshopmall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Webshell upload allowing persistent backdoor access and data exfiltration

🟢

If Mitigated

File upload limited to authenticated users with proper file type validation and storage outside web root

🌐 Internet-Facing: HIGH - Remote exploitation possible without authentication
🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised accounts

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details publicly available in GitHub issues; manipulation of File argument leads to unrestricted upload

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Monitor GitHub repository for updates. Consider applying community fixes if available.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block or restrict access to /api/users/updateAvatar endpoint

WAF specific - configure rule to block POST requests to /api/users/updateAvatar

File Upload Restriction

all

Implement server-side file type validation and size limits

Application specific - modify FileUtil to validate file extensions and MIME types

🧯 If You Can't Patch

  • Disable the updateAvatar functionality completely
  • Implement network segmentation to isolate yshopmall from critical systems

🔍 How to Verify

Check if Vulnerable:

Check if running yshopmall version 1.9.1 or earlier. Test by attempting to upload a file with malicious extension to /api/users/updateAvatar

Check Version:

Check application version in configuration files or admin panel

Verify Fix Applied:

Verify file upload restrictions are enforced and only allowed file types can be uploaded

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to /api/users/updateAvatar
  • Uploads of executable files (php, jsp, asp, etc.)
  • Large number of upload requests

Network Indicators:

  • POST requests to /api/users/updateAvatar with suspicious file names
  • Traffic patterns indicating file upload exploitation

SIEM Query:

source="web_server" AND uri="/api/users/updateAvatar" AND (file_extension="php" OR file_extension="jsp" OR file_extension="asp")

📊 Metadata

CVE ID: CVE-2026-2146
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-284
EPSS Score: 0.05% exploit probability (14.6th percentile)
Published: February 8, 2026
Last Updated: February 17, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2146, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)