CVE-2026-7490

HIGH

Sunnet|CTMS and CPAS - Arbitrary File Upload

Title source: cna
STIX 2.1

Description

CTMS and CPAS developed by Sunnet has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

References (2)

Core 2
Core References
Third Party Advisory third-party-advisory
https://www.twcert.org.tw/tw/cp-132-10894-1ac1f-1.html
Third Party Advisory third-party-advisory
https://www.twcert.org.tw/en/cp-139-10895-25ca1-2.html

Scores

CVSS v3 7.2
EPSS 0.0046
EPSS Percentile 36.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-434
Status published
Products (4)
sun.net/ehrd_cpas
sun.net/ehrd_ctms
Sunnet/CPAS
Sunnet/CTMS
Published May 02, 2026
Tracked Since May 02, 2026