Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Unrestricted File Upload in FastAPIAdmin 2.2.0 Scheduled Task API
CVE-2026-2978
Summary
Attackers can upload any file they want to the Scheduled Task API in FastAPIAdmin 2.2.0, which could lead to unauthorized access or code execution. This means your system's security could be compromised if an attacker can exploit this flaw. Update to a newer version of FastAPIAdmin to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| fastapiadmin | fastapiadmin | <= 2.2.0 | – |
Original title
A vulnerability was detected in FastApiAdmin up to 2.2.0. This vulnerability affects the function upload_file_controller of the file /backend/app/api/v1/module_system/params/controller.py of the co...
Original description
A vulnerability was detected in FastApiAdmin up to 2.2.0. This vulnerability affects the function upload_file_controller of the file /backend/app/api/v1/module_system/params/controller.py of the component Scheduled Task API. Performing a manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used.
nvd CVSS2.0
6.5
nvd CVSS3.1
8.8
nvd CVSS4.0
5.3
Vulnerability type
CWE-284
Improper Access Control
CWE-434
Unrestricted File Upload
- https://github.com/CC-T-454455/Vulnerabilities/tree/master/fastapi-admin/vulnera... Exploit Third Party Advisory
- https://vuldb.com/?ctiid.347362 Permissions Required VDB Entry
- https://vuldb.com/?id.347362 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.756155 Third Party Advisory VDB Entry
Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026