CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-QV4M-M73M-8HJ7

GHSA-qv4m-m73m-8hj7: Authenticated Arbitrary File Upload leading to Remote Code Execution in NotrinosERP

Alon Barad
Alon Barad
Software Engineer

Jul 11, 2026·6 min read·2 visits

Executive Summary (TL;DR)

Authenticated users with SA_EMPLOYEE permissions in NotrinosERP versions up to and including 1.0.0 can upload arbitrary PHP scripts via the employee document upload interface, resulting in remote code execution.

An authenticated remote code execution vulnerability exists in NotrinosERP (versions up to and including 1.0.0) within the Human Resource Management (HRM) module. Users with employee management permissions can upload arbitrary file types, including PHP scripts, which are written directly to a web-accessible directory. This allows for arbitrary code execution in the context of the web-server user.

Vulnerability Overview

The Human Resource Management (HRM) module of NotrinosERP contains a critical file upload interface within the employee profile documents section. This interface is accessible to authenticated users who possess the "Manage Employees" (SA_EMPLOYEE) privilege. The purpose of this module is to allow HR coordinators to attach administrative and identification documents to individual employee profiles.

The backend handling of these file uploads presents an unconstrained attack surface. It accepts files directly from the user's multipart HTTP POST request and writes them into a public directory within the application's web root. There is no access control mechanism or routing gateway protecting these files once they are written to disk.

The primary vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). By exploiting this flaw, an attacker can upload executable scripts, such as web shells, and trigger their execution by requesting the file directly via HTTP. This leads to immediate and complete remote code execution under the privileges of the web server's operating system process.

Root Cause Analysis

The fundamental flaw resides within the script "hrm/manage/employees.php" inside the "tab_documents()" function. In NotrinosERP version 1.0.0, the handler responsible for processing the employee document form fails to execute any validation on the client-supplied filename or file content. It relies on the raw "$_FILES['doc_file']['name']" variable to determine the destination filename on the server.

Unlike other upload functions within NotrinosERP—such as the profile photo uploader, which enforces image format verifications, or the core attachment engine in "includes/ui/attachment.inc", which generates random, extensionless files on disk—this specific HRM handler bypasses all security layers. It builds the target filesystem path by concatenating the upload directory with the unsanitized, user-provided filename.

Furthermore, the destination directory "/company/0/documents/employees/" is fully web-accessible. The root ".htaccess" file only restricts files ending in specific administrative extensions such as ".inc", ".po", or ".sh". It does not contain rules to block the execution of PHP scripts inside the "/company" tree, allowing the web server to interpret and execute any PHP files written to this path.

Code Analysis

The vulnerable code execution flow can be traced directly within the document upload handler. The following block highlights the exact mechanism where the unsanitized input is processed and written to the filesystem.

// hrm/manage/employees.php (Release 1.0.0, Lines 568-573)
$upload_dir = company_path().'/documents/employees';
if (!file_exists($upload_dir))
    mkdir($upload_dir, 0777, true);
 
// Vulnerable path construction using unvalidated client filename
$file_path = $upload_dir.'/'.$employee_id.'_'.time().'_'.$_FILES['doc_file']['name'];
 
// File written to the web root without further inspection
if (!move_uploaded_file($_FILES['doc_file']['tmp_name'], $file_path)) {
    // error handling
}

The variable "$file_path" is constructed by directly appending the client-provided file name. Because there is no call to a sanitization function or an extension check, an attacker can control both the file extension and the path layout. On PHP environments that do not automatically strip path traversal sequences from file upload names, an attacker could inject "../" directory traversal characters, leading to a secondary CWE-22 vulnerability.

Additionally, a secondary stored Cross-Site Scripting (XSS) vulnerability (CWE-79) exists in the rendering code within "hrm/includes/ui/employee_ui.inc". The application stores the "$file_path" in the database and echoes it directly inside the "href" attribute of an anchor tag without applying any HTML entity encoding.

// hrm/includes/ui/employee_ui.inc (Lines 153-154)
// Vulnerable output rendering
echo "<a href='" . $file_path . "' target='_blank'>View</a>";

Exploitation Methodology

An attacker must first authenticate and obtain a valid session cookie possessing the "SA_EMPLOYEE" permission. The attack requires a valid CSRF token, which can be acquired by querying the document tab. A "GET" request is sent to the employee page to extract the "_token" parameter from the HTML form.

With the CSRF token in hand, the attacker constructs a multipart form-data "POST" request to upload the payload. The payload is a standard PHP web shell embedded within the "doc_file" parameter, with the filename set to "shell.php".

Because the application writes the final file path back to the user interface, the attacker does not need to guess the generated UNIX timestamp. The attacker reads the generated URL directly from the "View" link inside the HTTP response, then navigates to the uploaded script to execute arbitrary commands on the hosting server.

Impact Assessment

The impact of this vulnerability is critical, carrying a CVSS score of 8.8. Successful exploitation grants the attacker full remote code execution in the context of the user running the web server daemon, typically "www-data" or a dedicated low-privilege service account.

From this position, the attacker can read sensitive configuration files, including database credentials stored in the application's configuration path. This access can be leveraged to extract ERP data, manipulate financial or employee records, or escalate privileges on the host system depending on local OS configurations.

Furthermore, because the target directories are web-accessible and lacked restrictive access control headers or ".htaccess" configuration blocks, the backdoor remains persistently available. The system's integrity, availability, and confidentiality are completely compromised if an unauthorized operator executes command shells on the backend.

Remediation & Secure Architecture

To remediate this vulnerability, developers must restructure the document upload logic. The application must avoid using user-controlled names for the direct filesystem storage path. Developers should generate random, extensionless identifiers (such as a UUID or "uniqid()") on the backend, and map these identifiers to the original filenames in a secured database table.

An alternative mitigation involves configuring the web server to deny script execution in the upload directory. For Apache servers, an ".htaccess" file should be deployed inside the "/company/0/documents/" directory to block the PHP interpreter. This prevents the server from executing scripts even if they are successfully uploaded.

# Disable engine execution in the upload folder
php_admin_flag engine off
RemoveHandler .php
SetHandler none

The ideal secure architecture pattern requires moving the upload storage directory completely outside of the web server's document root. Files should be retrieved and served exclusively through an application routing gateway that validates authorization and streams the file using proper content-disposition headers.

Official Patches

NotrinosNotrinosERP Repository

Technical Appendix

CVSS Score
8.8/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Systems

NotrinosERP Human Resource Management (HRM) module

Affected Versions Detail

Product
Affected Versions
Fixed Version
NotrinosERP
Notrinos
<= 1.0.0None
AttributeDetail
CWE IDCWE-434, CWE-79, CWE-22
Attack VectorNetwork
CVSS Severity8.8 (High)
EPSS ScoreN/A
ImpactRemote Code Execution (RCE)
Exploit StatusProof of Concept
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1505.003Server Software Component: Web Shell
Persistence
T1190Exploit Public-Facing Application
Initial Access
CWE-434
Unrestricted Upload of File with Dangerous Type

The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

Known Exploits & Detection

GitHub Security AdvisoryAdvisory text containing full validation and reproduction steps for the file upload RCE vulnerability.

Vulnerability Timeline

Vulnerability disclosed publicly by Kasper Hong / Kasper Builds.
2026-07-10

References & Sources

  • [1]NotrinosERP Repository
  • [2]GitHub Security Advisory GHSA-qv4m-m73m-8hj7

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•29 minutes ago•GHSA-99J7-FHR2-XFJ4
10.0

GHSA-99J7-FHR2-XFJ4: Malicious Remote Code Execution Payload in 'exploration' Cargo Crate

The malicious Cargo package 'exploration' was uploaded to the crates.io registry. During compilation or package import, the crate executes code designed to establish an outbound TCP/HTTP connection, download an external second-stage binary, and execute the binary locally on the host machine. This creates an unauthenticated remote code execution vector impacting developer environments and continuous integration pipelines.

Amit Schendel
Amit Schendel
3 views•6 min read
•about 1 hour ago•CVE-2026-54088
9.3

CVE-2026-54088: Pre-Authentication Remote Code Execution in File Browser Hook Authentication

CVE-2026-54088 is a critical command injection vulnerability in File Browser prior to version 2.63.6. When Hook Authentication is enabled, the application interpolates unsanitized credentials into a shell command, allowing unauthenticated remote code execution.

Alon Barad
Alon Barad
2 views•6 min read
•about 2 hours ago•GHSA-XRMC-C5CG-RV7X
8.8

GHSA-XRMC-C5CG-RV7X: Security Bypass Vulnerability in safeinstall-cli Command Parser

A high-severity security bypass vulnerability exists in safeinstall-cli up to version 0.10.1. Due to multiple logical limitations in its shell command parsing mechanism (guard-parser), attackers can craft specific shell commands that completely evade the Agent Guard interceptor hooks. This allows arbitrary unverified installations and code executions on the developer system when executed by AI coding agents.

Alon Barad
Alon Barad
2 views•7 min read
•about 2 hours ago•GHSA-WM45-QH3G-V83F
7.7

GHSA-WM45-QH3G-V83F: Arbitrary Server-Side File Read and Exfiltration via Attachment Upload in mcp-atlassian

An arbitrary server-side file read vulnerability exists in the mcp-atlassian integration server. Remote clients utilizing SSE or HTTP transports can exploit the lack of directory containment on attachment-upload tools to resolve and read arbitrary host files, exfiltrating them directly to Atlassian Jira or Confluence.

Amit Schendel
Amit Schendel
3 views•8 min read
•about 3 hours ago•GHSA-G5R6-GV6M-F5JV
7.7

GHSA-G5R6-GV6M-F5JV: Arbitrary File Read and Exfiltration in mcp-atlassian via Missing Path Validation

A directory traversal vulnerability exists in the mcp-atlassian integration server prior to version 0.22.0. The confluence_upload_attachment tool fails to restrict the paths of uploaded files, allowing authenticated users or external prompt injection payloads to retrieve and exfiltrate arbitrary files from the server's filesystem into Confluence.

Amit Schendel
Amit Schendel
3 views•7 min read
•about 3 hours ago•CVE-2026-54158
9.9

CVE-2026-54158: Stored Cross-Site Scripting to Host Remote Code Execution in SiYuan

A critical-severity Stored Cross-Site Scripting (XSS) vulnerability exists in the SiYuan personal knowledge management system. Due to missing sanitization in the attribute-view cell renderer and an insecure Electron default configuration (nodeIntegration: true), attackers can execute arbitrary commands on the victim's host operating system through synchronized workspaces.

Alon Barad
Alon Barad
6 views•5 min read