CVE-2021-26642 HIGH

CVE-2021-26642: XpressEngine file upload vulnerability

Vendor Xehub
Product XE3 XpresesEngine
Weakness CWE-434 · Unrestricted file upload
Published January 20, 2023
Last update April 3, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

When uploading an image file to a bulletin board developed with XpressEngine, a vulnerability in which an arbitrary file can be uploaded due to insufficient verification of the file. A remote attacker can use this vulnerability to execute arbitrary code on the server where the bulletin board is running.

Key dates

02Disclosure timeline

January 20, 2023 CVE published
April 3, 2025 Record updated