Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
huanzi-qch base-admin allows attackers to upload malicious files
CVE-2026-2665
Summary
A security issue in the huanzi-qch base-admin system allows attackers to upload any type of file without restrictions, potentially leading to malicious code execution. This is a risk because it allows unauthorized files to be uploaded to the system, which could compromise its security. If you use this system, you should be aware of this issue and consider taking steps to mitigate it, such as updating to a newer version or patching the system as soon as possible.
Original title
A vulnerability was detected in huanzi-qch base-admin up to 57a8126bb3353a004f3c7722089e3b926ea83596. Impacted is the function Upload of the file SysFileController.java of the component JSP Parser....
Original description
A vulnerability was detected in huanzi-qch base-admin up to 57a8126bb3353a004f3c7722089e3b926ea83596. Impacted is the function Upload of the file SysFileController.java of the component JSP Parser. Performing a manipulation of the argument File results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
nvd CVSS2.0
6.5
nvd CVSS3.1
6.3
nvd CVSS4.0
5.3
Vulnerability type
CWE-284
Improper Access Control
CWE-434
Unrestricted File Upload
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026