CVE-2026-11621: Dcat-Admin Unrestricted File Upload Vulnerability (CVSS 4.7)
Dcat-Admin versions up to 2.2.3-beta contain a file upload vulnerability in the User Setting Page. An authenticated administrator can upload arbitrary files by manipulating the image upload parameter in the editor component, potentially leading to code execution or data compromise. The vulnerability requires high-level privileges but poses a meaningful risk in multi-user admin environments.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.7 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-284, CWE-434
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in Dcat-Admin up to 2.2.3-beta. This impacts the function editorMDUpload of the file /admin/dcat-api/editor-md/upload of the component User Setting Page. This manipulation of the argument editormd-image-file causes unrestricted upload. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11621 is an unrestricted file upload vulnerability affecting the editorMDUpload function in Dcat-Admin's editor-md upload handler (/admin/dcat-api/editor-md/upload). The vulnerability stems from insufficient validation of the editormd-image-file parameter, allowing authenticated high-privilege users to bypass file type restrictions. This maps to CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), and is exploitable over the network without user interaction once an attacker has admin credentials.
Business impact
Organizations using Dcat-Admin as a backend administration framework face risk of unauthorized file placement within the application directory, potentially enabling web shell deployment, malware injection, or lateral movement within the application server. The requirement for admin authentication limits blast radius but concentrates risk on credential compromise or insider threats. Data integrity and confidentiality of managed content is at risk if attackers gain file write access.
Affected systems
Dcat-Admin versions up to and including 2.2.3-beta are vulnerable. No vendor or product-specific CPE data was available in the source intelligence. Organizations should verify their exact version against the official Dcat-Admin repository and determine exposure scope by auditing admin account usage and network access to the /admin path.
Exploitability
Public exploit code is available, reducing the barrier to weaponization. However, exploitation requires valid administrator credentials and network access to the admin interface. The attack does not require user interaction beyond credential possession, and the low attack complexity (AC:L) means standard exploitation tools are sufficient. Active monitoring for unusual file uploads or new files in web-accessible directories is advisable.
Remediation
Upgrade Dcat-Admin to a patched version released after 2.2.3-beta. Verify the exact version number against the official Dcat-Admin advisory and security releases. Until patching is complete, implement network-level restrictions limiting admin interface access to trusted IP ranges, enforce strong authentication (MFA where possible) for admin accounts, and deploy file upload restrictions at the web server level to block executable file types in the upload directory.
Patch guidance
Check the official Dcat-Admin GitHub repository and release notes for versions newer than 2.2.3-beta that address CVE-2026-11621. Apply patches to a test environment first to verify functionality, especially for customized admin interfaces. Monitor the application logs for any suspicious upload attempts during and after patching. If running on a managed platform, confirm your provider has released and deployed the patch.
Detection guidance
Monitor web server logs for POST requests to /admin/dcat-api/editor-md/upload with non-image content-types or suspicious file extensions in the editormd-image-file parameter. Audit the application upload directory for files created by admin users outside normal editing workflows. Review admin account login logs for unusual access patterns or geographic anomalies. Implement integrity monitoring on web-accessible directories to flag unexpected file creation.
Why prioritize this
Although CVSS score is MEDIUM (4.7) due to the requirement for high-privilege authentication, the public availability of exploit code and the potential for privilege escalation or data breach via file write access elevates practical risk. Organizations with multiple admins, high-turnover admin staff, or previous credential compromise should prioritize patching. This is not critical but warrants expedited handling within 30–60 days depending on your admin access controls.
Risk score, explained
The CVSS 3.1 score of 4.7 reflects network accessibility and low complexity, but penalizes the requirement for admin privileges (PR:H). The modest impact ratings (Low on each dimension) account for the attack being limited by authentication boundary and potential mitigations via file permissions. However, in environments with weak admin credential hygiene, actual risk may exceed the base score.
Frequently asked questions
Do we need admin access to exploit this?
Yes. The vulnerability requires valid administrator credentials to authenticate to the Dcat-Admin interface and invoke the upload endpoint. This is a key limitation that reduces the attack surface compared to unauthenticated vulnerabilities, but insider threats and compromised admin accounts remain a concern.
What kinds of files can be uploaded?
The vulnerability allows uploading arbitrary file types by bypassing the image validation logic. Attackers could upload PHP, JSP, ASP, or other executable scripts if the web server is configured to execute code in the upload directory—a common misconfiguration.
Is this vulnerability being actively exploited?
Public exploit code exists, which lowers the technical barrier. While there is no data indicating widespread active exploitation, the availability of PoC code means opportunistic attacks are possible, especially against internet-facing admin panels with weak credentials.
What should I do if I cannot patch immediately?
Restrict network access to /admin paths using firewalls or web application firewalls, enforce multi-factor authentication on all admin accounts, disable file execution in the upload directory via web server configuration (.htaccess or nginx rules), and monitor upload activity closely.
This analysis is for informational purposes and should not be construed as a substitute for vendor advisories or professional security assessment. Patch versions, vendor release timelines, and specific mitigations are subject to change; verify current guidance against official Dcat-Admin releases and your own environment's security policies. SEC.co does not provide legal or compliance guarantees. Unauthorized testing of systems you do not own or have explicit permission to test is illegal. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10806MEDIUMUnrestricted File Upload in mjperpinosa stumasy
- CVE-2026-10807MEDIUMUnrestricted File Upload in mjperpinosa stumasy Profile Image Handler
- CVE-2026-11333MEDIUMUnrestricted File Upload in CollegeManagementSystem Dashboard
- CVE-2026-11344HIGHUnrestricted File Upload in code-projects Vehicle Management System 1.0
- CVE-2026-11474HIGHUnrestricted File Upload in Kushan2k Student Management System
- CVE-2024-27891MEDIUMArista EOS MACsec + Egress ACL Policy Enforcement Failure