Arbitrary File Upload Vulnerability in CTMS and CPAS by Sunnet
CVE-2026-7490

8.6HIGH

Key Information:

Vendor: Sunnet
Status: Ctms; Cpas
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-7490?

An Arbitrary File Upload vulnerability exists in CTMS and CPAS developed by Sunnet, allowing attackers with elevated privileges to upload arbitrary files. This flaw enables the execution of malicious web shell backdoors on the server, facilitating unauthorized access and control over the affected system. Organizations using these products should take immediate action to mitigate this risk.

Affected Version(s)

CPAS 0

CTMS 0

References

https://www.twcert.org.tw/tw/cp-132-10894-1ac1f-1.html

third-party-advisory

https://www.twcert.org.tw/en/cp-139-10895-25ca1-2.html

third-party-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-7490 Data

JSON