CVE-2026-40521
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
FrontAccounting before 2.4.20 contains a path traversal vulnerability in the attachment upload handler that allows authenticated attackers to execute arbitrary code by uploading files with traversal sequences in the unique_name parameter. Attackers can supply path traversal sequences ../../../shell.php to write files outside the intended attachments directory into the web root, and by uploading PHP files without extension validation, achieve remote code execution as the web server user.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| FrontAccounting | FrontAccounting | 0 < 2.4.20 | affected |
| FrontAccounting | FrontAccounting | 701fea6848da4a02fb83d30f07a9c0473d6b7e33 | unaffected |
Weaknesses
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
- https://jivasecurity.com/writeups/frontaccounting-rce-attachment-upload-cve-2026-40521
- https://sourceforge.net/p/frontaccounting/news/2026/04/release-2420/
- https://github.com/FrontAccountingERP/FA/commit/701fea6848da4a02fb83d30f07a9c0473d6b7e33
- https://www.vulncheck.com/advisories/frontaccounting-path-traversal-rce-via-attachment-upload
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.