Cyber Posture

CVE-2026-3749

MediumPublic PoC

Published: 08 March 2026

Published
08 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0013 31.5th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A weakness has been identified in Bytedesk up to 1.3.9. This vulnerability affects the function handleFileUpload of the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestService.java of the component SVG File Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely.…

more

The exploit has been made available to the public and could be used for attacks. Upgrading to version 1.4.5.1 is able to resolve this issue. This patch is called 975e39e4dd527596987559f56c5f9f973f64eff7. It is recommended to upgrade the affected component.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely flaw remediation through patching, directly addressing the unrestricted file upload vulnerability fixed in Bytedesk 1.4.5.1.

SI-10 Information Input Validation good match
prevent

SI-10 mandates validation of information inputs like file uploads, preventing exploitation of the handleFileUpload function by rejecting dangerous file types or malformed content.

SI-9 Information Input Restrictions good match
prevent

SI-9 enforces restrictions on input types such as file extensions in the SVG File Handler, blocking unrestricted uploads of dangerous files.

Security SummaryAI

CVE-2026-3749 is an unrestricted file upload vulnerability affecting Bytedesk versions up to 1.3.9. The issue resides in the handleFileUpload function within the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestService.java of the SVG File Handler component. This weakness, tied to CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), allows manipulation that bypasses file upload restrictions.

The vulnerability can be exploited remotely by a low-privileged user (PR:L) over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), earning a CVSS v3.1 base score of 6.3 (C:L/I:L/A:L). Successful exploitation enables limited confidentiality, integrity, and availability impacts through unrestricted file uploads, with a public exploit available for potential attacks.

Mitigation is addressed by upgrading to Bytedesk version 1.4.5.1, which includes the patch commit 975e39e4dd527596987559f56c5f9f973f64eff7. Additional details are available in the project's GitHub repository, including issue #19 and related comments.

Exploitation in the wild has not been reported, but the public availability of the exploit increases risk for unpatched instances.

Details

CWE(s)
CWE-284CWE-434

Affected Products

bytedesk
bytedesk
≤ 1.4.5.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Unrestricted file upload in public-facing web application (Bytedesk) enables remote exploitation for initial access (T1190) and facilitates web shell deployment (T1100) via upload of malicious files like JSP shells.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References