CVE-2026-1879

MEDIUM

Harvard University IQSS Dataverse Theme Customization ThemeAndWidgets.xhtml unrestricted upload

Title source: cna
STIX 2.1

Description

A vulnerability was detected in Harvard University IQSS Dataverse up to 6.8. This affects an unknown function of the file /ThemeAndWidgets.xhtml of the component Theme Customization. Performing a manipulation of the argument uploadLogo results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. Upgrading to version 6.10 mitigates this issue. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

References (5)

Core 5
Core References
Vdb Entry, Technical Description vdb-entry technical-description
VDB-354616 | Harvard University IQSS Dataverse Theme Customization ThemeAndWidgets.xhtml unrestricted upload
https://vuldb.com/vuln/354616
Signature, Permissions Required signature permissions-required
VDB-354616 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/354616/cti
Third Party Advisory third-party-advisory
Submit #749003 | Harvard University Dataverse Project 6.8 build 1994-92d1ec8 Unrestricted Upload
https://vuldb.com/submit/749003

Scores

CVSS v3 6.3
EPSS 0.0026
EPSS Percentile 16.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-284 CWE-434
Status published
Products (10)
Harvard University/IQSS Dataverse 6.0
Harvard University/IQSS Dataverse 6.1
Harvard University/IQSS Dataverse 6.10
Harvard University/IQSS Dataverse 6.2
Harvard University/IQSS Dataverse 6.3
Harvard University/IQSS Dataverse 6.4
Harvard University/IQSS Dataverse 6.5
Harvard University/IQSS Dataverse 6.6
Harvard University/IQSS Dataverse 6.7
Harvard University/IQSS Dataverse 6.8
Published Apr 01, 2026
Tracked Since Apr 01, 2026