Description
The file extension of the TadTools file upload function fails to filter, thus remote attackers can upload any types of files and execute arbitrary code without logging in.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://www.twcert.org.tw/tw/cp-132-5170-83472-1.html
Scores
CVSS v3
9.8
EPSS
0.0146
EPSS Percentile
80.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
tadtools_project/tadtools
< 3.2.2
Published
Oct 08, 2021
Tracked Since
Feb 18, 2026