Platform
nodejs
Component
vulnerabilities
Fixed in
72.0.1
CVE-2026-4999 describes a Path Traversal vulnerability affecting z-9527 admin versions up to 72aaf2dd05cf4ec2e98f390668b41e128eec5ad2. This flaw allows attackers to potentially access sensitive files and directories on the server. Due to the product's rolling release model, specific affected versions are not provided. Mitigation strategies and detection methods are crucial to address this risk.
The Path Traversal vulnerability in z-9527 admin allows an attacker to bypass intended access restrictions and retrieve arbitrary files from the server's file system. By manipulating the fileType parameter within the /server/utils/upload.js file, an attacker can craft requests that include directory traversal sequences (e.g., ../../../../etc/passwd). Successful exploitation could lead to the exposure of sensitive configuration files, source code, or other critical data. Given the public disclosure of this vulnerability, it is likely that automated scanning tools are already attempting to exploit it. The potential impact extends beyond data exposure, as an attacker could potentially leverage file access to execute arbitrary code or gain further control over the system, depending on the permissions of the web server user.
CVE-2026-4999 has been publicly disclosed, indicating a higher probability of exploitation. The vulnerability is present in the uploadFile function of the isImg Check component and is accessible remotely. The public availability of this information increases the risk of automated exploitation attempts. No KEV listing or EPSS score is currently available. Public proof-of-concept exploits are likely to emerge, further increasing the risk.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
Due to z-9527 admin's rolling release model, a direct upgrade to a patched version may not be immediately available. As a temporary workaround, implement strict input validation on the fileType parameter in the /server/utils/upload.js file to prevent directory traversal sequences. This can be achieved by whitelisting allowed file extensions and rejecting any input containing characters like ... Consider deploying a Web Application Firewall (WAF) with rules to block requests containing suspicious directory traversal patterns. Regularly review and audit the web server's file permissions to minimize the potential impact of a successful exploit. Since a direct patch is unavailable, continuous monitoring for exploitation attempts is critical.
Update the z-9527 admin component to a version later than 72aaf2dd05cf4ec2e98f390668b41e128eec5ad2. If no version is available, contact the vendor for a patch or workaround. Review and validate 'fileType' inputs to prevent directory traversal.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4999 is a Medium severity vulnerability allowing attackers to access unauthorized files via manipulation of the fileType parameter in z-9527 admin versions up to 72aaf2dd05cf4ec2e98f390668b41e128eec5ad2.
If you are using z-9527 admin versions up to 72aaf2dd05cf4ec2e98f390668b41e128eec5ad2, you are potentially affected by this vulnerability.
Due to the rolling release model, a direct patch may not be immediately available. Implement input validation and WAF rules as temporary mitigations.
The vulnerability has been publicly disclosed, increasing the likelihood of active exploitation attempts.
Consult the z-9527 admin documentation and security advisories for updates and mitigation guidance.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.