MEDIUM 6.3

CVE-2026-10172: Bdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability

Bdtask Multi-Store Inventory Management System version 1.0 contains a file upload vulnerability that allows authenticated users to upload arbitrary files to the server without validation. An attacker with valid login credentials can exploit this flaw to upload malicious files, potentially leading to remote code execution or other attacks. Public exploit code is available, increasing the risk of widespread exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-284, CWE-434
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A security flaw has been discovered in Bdtask Multi-Store Inventory Management System 1.0. The affected element is the function Upload of the file application/modules/dashboard/controllers/Module.php of the component Component Module. The manipulation of the argument module results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the Upload function of the Module component (application/modules/dashboard/controllers/Module.php) in Bdtask version 1.0. The module parameter is not properly validated before being used in file upload operations, enabling unrestricted file uploads. The attack requires low privileges (authenticated user) and no user interaction. CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type) indicate that access controls and upload restrictions are insufficiently enforced.

Business impact

Successful exploitation enables attackers to upload executable or malicious files, potentially leading to system compromise, data theft, or lateral movement within the network. Organizations using Bdtask for inventory management may face operational disruption, data loss, or compliance violations if customer or business data is exfiltrated. The availability of public exploits significantly accelerates the timeline for active attacks.

Affected systems

Bdtask Multi-Store Inventory Management System version 1.0 is affected. Any deployment of this application is vulnerable if users have not applied patching or compensating controls. Verify your Bdtask installation version and confirm whether you are running version 1.0 or a newer patched release.

Exploitability

Exploitability is moderate to high. The attack requires authentication (reducing immediate exposure to anonymous attackers) but public exploit code is available, making weaponization straightforward for threat actors with valid credentials or those who have compromised user accounts. The network-accessible nature and low complexity further lower the barrier to exploitation.

Remediation

Prioritize upgrading Bdtask to a patched version beyond 1.0. Verify patch availability directly from the Bdtask vendor advisory. Implement file upload restrictions and validation: restrict allowed file types, enforce filename sanitization, store uploads outside the web root, and disable script execution in upload directories. Apply additional access controls to the dashboard module and monitor upload activity.

Patch guidance

Check the Bdtask vendor website or security advisory for patched versions released after 1.0. Apply the patch in a test environment first and validate that inventory functionality remains intact. If vendor patches are unavailable, implement compensating controls immediately: disable the upload feature if not in use, restrict access to the Module component via network controls, or temporarily disable the dashboard module until a patch is available.

Detection guidance

Monitor application logs for unusual file uploads to the dashboard module, particularly suspicious file extensions (exe, php, sh, jsp, etc.). Review web server access logs for POST requests to the upload endpoint with unexpected file types. Implement file integrity monitoring on the upload directory. Search for indicators of Web shells or executable files in unexpected locations. If a WAF is deployed, create rules to block uploads of dangerous file types to this endpoint.

Why prioritize this

Although the CVSS score of 6.3 is medium, the presence of public exploits, low attack complexity, and the ability to achieve code execution elevate practical risk. Any organization running Bdtask 1.0 should treat this as high priority due to the ease of exploitation and immediate availability of attack tools.

Risk score, explained

CVSS 3.1 score of 6.3 reflects the combination of network accessibility, low attack complexity, and the requirement for authentication. The score would be higher if the vulnerability allowed unauthenticated upload. However, the public availability of exploits and the potential for remote code execution warrant faster remediation timelines than the base CVSS score alone suggests.

Frequently asked questions

Does this vulnerability allow unauthenticated file uploads?

No. The vulnerability requires the attacker to have valid authentication credentials (login). However, this does not reduce urgency: attackers with compromised accounts, disgruntled employees, or those who have gained access through phishing can exploit it immediately.

What versions of Bdtask are affected?

Bdtask Multi-Store Inventory Management System version 1.0 is confirmed vulnerable. Verify your installation version in the application settings or admin panel. Confirm patched versions by consulting the Bdtask vendor's security advisory.

Can the uploaded files be executed on the server?

Yes, if malicious files are uploaded to web-accessible directories and executable file types are not blocked, attackers can execute arbitrary code. This is why disabling script execution in upload directories and restricting file types are critical controls.

Is this vulnerability tracked in CISA's Known Exploited Vulnerabilities catalog?

This vulnerability is not currently listed in the CISA KEV catalog as of the source data date, but the public availability of exploit code means it remains a significant active threat.

This advisory is provided for informational purposes. Organizations should verify all technical details, patch availability, and affected product versions directly with Bdtask vendor documentation and security advisories before taking action. SEC.co makes no warranties regarding the completeness or accuracy of remediation guidance and recommends testing all patches in non-production environments. Actual vulnerability impact may vary based on deployment configuration, network controls, and organizational access policies. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).