Unrestricted File Upload Vulnerability in lwj Flow by Dragon
CVE-2026-1126

5.3MEDIUM

Key Information:

Vendor

Lwj

Status
Flow
Vendor
CVE Published:
18 January 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-1126?

A vulnerability exists in the ู…ุนุธู… flow development framework related to the SVG File Handler's uploadFile function. The issue arises from improper handling of file uploads, enabling remote attackers to upload arbitrary files without sufficient validation of the File argument. This flaw can lead to serious security breaches, allowing malicious files to be executed on the server. Despite early reporting of the problem to the project maintainers, there has been no response or patch provided, raising concerns about the security of users relying on this software.

Affected Version(s)

flow a3d2fe8133db9d3b50fda4f66f68634640344641

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-1126 - Proof of Concept

References

https://vuldb.com/?id.341718
vdb-entrytechnical-description
https://vuldb.com/?ctiid.341718
signaturepermissions-required
https://vuldb.com/?submit.735122
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

MaoQiu (VulDB User)
JSON
.