Cyber Posture

CVE-2026-3748

MediumPublic PoC

Published: 08 March 2026

Published
08 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0012 30.2th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in Bytedesk up to 1.3.9. This affects the function uploadFile of the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestController.java of the component SVG File Handler. Performing a manipulation results in unrestricted upload. Remote exploitation of the attack is possible.…

more

The exploit has been released to the public and may be used for attacks. Upgrading to version 1.4.5.1 is able to mitigate this issue. The patch is named 975e39e4dd527596987559f56c5f9f973f64eff7. Upgrading the affected component is recommended.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of the unrestricted file upload flaw via patching to version 1.4.5.1.

SI-10 Information Input Validation good match
prevent

Mandates validation of uploaded files at entry points to block dangerous types like malicious SVGs, directly countering CWE-434.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for file upload operations, addressing CWE-284 improper access control exploitable by low-privileged remote users.

Security SummaryAI

CVE-2026-3748 is a vulnerability in Bytedesk versions up to 1.3.9 that enables unrestricted file upload. It affects the uploadFile function in the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestController.java within the SVG File Handler component.

The vulnerability has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating it can be exploited remotely over the network with low complexity by an attacker possessing low privileges, without requiring user interaction and with unchanged scope. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, stemming from CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). Remote exploitation is possible, and a public exploit has been released.

Mitigation involves upgrading to Bytedesk version 1.4.5.1, which addresses the issue via the patch commit 975e39e4dd527596987559f56c5f9f973f64eff7. Upgrading the affected component is recommended, with details available in the project's GitHub repository, commit history, and related issues.

The exploit's public release increases the risk of attacks against unpatched Bytedesk instances.

Details

CWE(s)
CWE-284CWE-434

Affected Products

bytedesk
bytedesk
≤ 1.4.5.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Unrestricted file upload vulnerability in public-facing Bytedesk application enables exploitation of public-facing application (T1190) and facilitates deployment of web shells via upload of malicious files (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References