CVE-2026-7490
published 2026-05-02CVE-2026-7490: CTMS and CPAS developed by Sunnet has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors…
PriorityP352high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.46%
36.9th percentile
CTMS and CPAS developed by Sunnet has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sunnet | cpas | — | — |
| sunnet | ctms | — | — |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Sunnet CTMS/CPAS unrestricted upload (EUVD-2026-26770)
vuldb·2026-05-02·CVSS 8.6
CVE-2026-7490 [HIGH] Sunnet CTMS/CPAS unrestricted upload (EUVD-2026-26770)
A vulnerability, which was classified as critical, has been found in Sunnet CTMS and CPAS. This issue affects some unknown processing. Performing a manipulation results in unrestricted upload.
This vulnerability is reported as CVE-2026-7490. The attack is possible to be carried out remotely. No exploit exists.
GHSA
GHSA-39xp-f2mc-9vx4: CTMS and CPAS developed by Sunnet has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell bac
ghsa_unreviewed·2026-05-02
CVE-2026-7490 [HIGH] CWE-434 GHSA-39xp-f2mc-9vx4: CTMS and CPAS developed by Sunnet has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell bac
CTMS and CPAS developed by Sunnet has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-02
Published