CVE-2026-3187
📋 TL;DR
This vulnerability allows remote attackers to upload arbitrary files to the sz-boot-parent application via the /api/admin/sys-file/upload API endpoint. Affected systems are those running sz-boot-parent versions up to 1.3.2-beta with the vulnerable endpoint exposed. Attackers could potentially upload malicious files to compromise the system.
💻 Affected Systems
- feiyuchuixue sz-boot-parent
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, or ransomware deployment
Likely Case
Malicious file upload enabling web shell installation, data manipulation, or denial of service
If Mitigated
Limited impact with proper file type validation and access controls in place
🎯 Exploit Status
Exploit details are publicly documented; attack requires access to the upload endpoint but may not require authentication depending on configuration
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.3-beta
Vendor Advisory: https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Upgrade to version 1.3.3-beta. 3. Verify the patch commit aefaabfd7527188bfba3c8c9eee17c316d094802 is applied. 4. Restart the application. 5. Test the upload functionality with restricted file types.
🔧 Temporary Workarounds
Implement file upload restrictions
allManually configure whitelist restrictions for file extensions and MIME types
Configure oss.allowedExts and oss.allowedMimeTypes in application properties
Disable vulnerable endpoint
allTemporarily disable or block access to /api/admin/sys-file/upload endpoint
Use web server configuration (nginx/apache) to block the endpoint or implement application-level access control
🧯 If You Can't Patch
- Implement strict file type validation at the application layer
- Deploy WAF rules to block malicious file upload patterns
🔍 How to Verify
Check if Vulnerable:
Check application version and attempt to upload a file with disallowed extension to /api/admin/sys-file/uploadCheck Version:
Check application.properties or build configuration for version informationVerify Fix Applied:
Verify version is 1.3.3-beta or later and test that only whitelisted file types can be uploaded📡 Detection & Monitoring
Log Indicators:
- Multiple failed upload attempts
- Uploads of unusual file types (e.g., .jsp, .php, .exe)
- Large file uploads to admin endpoints
Network Indicators:
- POST requests to /api/admin/sys-file/upload with suspicious file content
- Unusual outbound connections after file uploads
SIEM Query:
source="web_server" AND (uri="/api/admin/sys-file/upload" AND (file_extension NOT IN (allowed_extensions) OR file_size > threshold))🔗 References
- https://github.com/feiyuchuixue/sz-boot-parent/
- https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802
- https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta
- https://github.com/yuccun/CVE/blob/main/sz-boot-parent-Arbitrary_File_Upload.md
- https://vuldb.com/?ctiid.347745
- https://vuldb.com/?id.347745
- https://vuldb.com/?submit.754038
