Path Traversal Vulnerability in JeeSite Affects File Upload Functionality
CVE-2026-36760

9.6CRITICAL

Key Information:

Vendor: ThinkGem
Status: JeeSite
Vendor: CVE Published:; 30 April 2026

What is CVE-2026-36760?

A vulnerability in the fileMd5 parameter of the /a/file/upload endpoint in JeeSite v5.15.1 enables authenticated attackers with file upload permissions to exploit a path traversal issue. This flaw allows them to write arbitrary files with permissible suffixes to any location on the filesystem, especially when chunked upload is enabled, leading to significant security risks. Organizations using JeeSite should urgently assess their implementation to prevent potential exploitation.

References

https://github.com/thinkgem/jeesite

https://github.com/thinkgem/jeesite/issues/530

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-36760 Data

JSON

ThinkGem

What is CVE-2026-36760?

References

CVSS V3.1

Timeline