Improper Authorization in perfree go-fastdfs-web up to 1.3.7 Vulnerability
CVE-2026-6105

6.9MEDIUM

Key Information:

Vendor: Perfree
Status: Go-fastdfs-web
Vendor: CVE Published:; 11 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-6105?

A security vulnerability has been identified in the perfree go-fastdfs-web application, specifically within the InstallController.java component. This flaw allows for improper authorization, posing a risk that can be exploited remotely. Attackers may leverage this vulnerability to gain unauthorized access to sensitive functionalities within the application. Despite early warnings provided to the vendor, no remedial actions have been communicated, leaving systems potentially exposed to malicious exploitation.

Affected Version(s)

go-fastdfs-web 1.3.0

go-fastdfs-web 1.3.1

go-fastdfs-web 1.3.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-6105 - Proof of Concept

References

https://vuldb.com/vuln/356964

vdb-entry

https://vuldb.com/vuln/356964/cti

signaturepermissions-required

https://vuldb.com/submit/781598

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 11, 2026
👾
Exploit known to exist
Apr 11, 2026
Vulnerability published
Apr 11, 2026
Vulnerability Reserved
Apr 11, 2026

Credit

yingxiujie (VulDB User)

VulDB CNA Team

CVE-2026-6105 Data

JSON

Perfree