Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
FastApiAdmin: Unrestricted File Upload in Scheduled Task API
CVE-2026-2979
Summary
FastApiAdmin versions up to 2.2.0 have a security issue that allows an attacker to upload any file on the server. This could lead to unauthorized data being uploaded and potentially compromise the system. Update to a fixed version of FastApiAdmin to protect against this risk.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| fastapiadmin | fastapiadmin | <= 2.2.0 | – |
Original title
A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function user_avatar_upload_controller of the file /backend/app/api/v1/module_system/user/controller.py of the component Sc...
Original description
A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function user_avatar_upload_controller of the file /backend/app/api/v1/module_system/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used.
nvd CVSS2.0
6.5
nvd CVSS3.1
8.8
nvd CVSS4.0
5.3
Vulnerability type
CWE-284
Improper Access Control
CWE-434
Unrestricted File Upload
- https://github.com/CC-T-454455/Vulnerabilities/tree/master/fastapi-admin/vulnera... Exploit Third Party Advisory
- https://vuldb.com/?ctiid.347363 Permissions Required
- https://vuldb.com/?id.347363 Third Party Advisory
- https://vuldb.com/?submit.756156 Third Party Advisory
Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026