CVE-2026-36760
published 2026-04-30CVE-2026-36760: An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a…
PriorityP263critical9.6CVSS 3.1
AVNACLPRLUINSCCHIHAN
EPSS
0.38%
30.2th percentile
An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations while chunked upload is enabled.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
thinkgem JeeSite 5.15.1 /a/file/upload fileMd5 path traversal (ID 530)
vuldb·2026-04-30·CVSS 9.6
CVE-2026-36760 [CRITICAL] thinkgem JeeSite 5.15.1 /a/file/upload fileMd5 path traversal (ID 530)
A vulnerability categorized as critical has been discovered in thinkgem JeeSite 5.15.1. This affects an unknown part of the file /a/file/upload. Executing a manipulation of the argument fileMd5 can lead to path traversal.
This vulnerability is registered as CVE-2026-36760. It is possible to launch the attack remotely. No exploit is available.
GHSA
GHSA-hw83-j72w-q54c: An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5
ghsa_unreviewed·2026-04-30
CVE-2026-36760 [CRITICAL] CWE-22 GHSA-hw83-j72w-q54c: An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5
An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations while chunked upload is enabled.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-30
Published