CVE-2026-32989

Summary

Precurio Intranet Portal 4.4 contains a cross-site request forgery vulnerability that allows attackers to induce authenticated users to submit crafted requests to a profile update endpoint handling file uploads. Attackers can exploit this to upload executable files to web-accessible locations, leading to arbitrary code execution in the context of the web server.

Affected Software

VendorProductVersion RangeStatus
PrecurioPrecurio Intranet Portal4.4affected

Weaknesses

  • CWE-352: CWE-352 Cross-Site request forgery (CSRF)
  • CWE-434: CWE-434 Unrestricted upload of file with dangerous type

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References